Mercurial > hg > nginx
annotate src/event/ngx_event_openssl.h @ 7415:2cf1d945bbb3 stable-1.14
SSL: fixed build with LibreSSL 2.8.0 (ticket #1605).
LibreSSL 2.8.0 "added const annotations to many existing APIs from OpenSSL,
making interoperability easier for downstream applications". This includes
the const change in the SSL_CTX_sess_set_get_cb() callback function (see
9dd43f4ef67e), which breaks compilation.
To fix this, added a condition on how we redefine OPENSSL_VERSION_NUMBER
when working with LibreSSL (see 382fc7069e3a). With LibreSSL 2.8.0,
we now set OPENSSL_VERSION_NUMBER to 0x1010000fL (OpenSSL 1.1.0), so the
appropriate conditions in the code will use "const" as it happens with
OpenSSL 1.1.0 and later versions.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Fri, 10 Aug 2018 20:49:06 +0300 |
parents | 8076ba459f05 |
children |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
4412 | 4 * Copyright (C) Nginx, Inc. |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
5 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
6 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
7 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #ifndef _NGX_EVENT_OPENSSL_H_INCLUDED_ |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #define _NGX_EVENT_OPENSSL_H_INCLUDED_ |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
12 #include <ngx_config.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
13 #include <ngx_core.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
14 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
15 #include <openssl/ssl.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
16 #include <openssl/err.h> |
5753
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
17 #include <openssl/bn.h> |
968 | 18 #include <openssl/conf.h> |
5753
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
19 #include <openssl/crypto.h> |
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
20 #include <openssl/dh.h> |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5753
diff
changeset
|
21 #ifndef OPENSSL_NO_ENGINE |
541 | 22 #include <openssl/engine.h> |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5753
diff
changeset
|
23 #endif |
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3300
diff
changeset
|
24 #include <openssl/evp.h> |
7132
8076ba459f05
SSL: include <openssl/hmac.h>.
Alessandro Ghedini <alessandro@ghedini.me>
parents:
7091
diff
changeset
|
25 #include <openssl/hmac.h> |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5753
diff
changeset
|
26 #ifndef OPENSSL_NO_OCSP |
4873
dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
27 #include <openssl/ocsp.h> |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5753
diff
changeset
|
28 #endif |
5753
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
29 #include <openssl/rand.h> |
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
30 #include <openssl/rsa.h> |
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
31 #include <openssl/x509.h> |
febce92c82f6
SSL: include correct OpenSSL headers.
Piotr Sikora <piotr@cloudflare.com>
parents:
5744
diff
changeset
|
32 #include <openssl/x509v3.h> |
541 | 33 |
547 | 34 #define NGX_SSL_NAME "OpenSSL" |
35 | |
36 | |
6485
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
37 #if (defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER == 0x20000000L) |
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
38 #undef OPENSSL_VERSION_NUMBER |
7415
2cf1d945bbb3
SSL: fixed build with LibreSSL 2.8.0 (ticket #1605).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7132
diff
changeset
|
39 #if (LIBRESSL_VERSION_NUMBER >= 0x2080000fL) |
2cf1d945bbb3
SSL: fixed build with LibreSSL 2.8.0 (ticket #1605).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7132
diff
changeset
|
40 #define OPENSSL_VERSION_NUMBER 0x1010000fL |
2cf1d945bbb3
SSL: fixed build with LibreSSL 2.8.0 (ticket #1605).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7132
diff
changeset
|
41 #else |
6485
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
42 #define OPENSSL_VERSION_NUMBER 0x1000107fL |
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
43 #endif |
7415
2cf1d945bbb3
SSL: fixed build with LibreSSL 2.8.0 (ticket #1605).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7132
diff
changeset
|
44 #endif |
6485
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
45 |
382fc7069e3a
SSL: reasonable version for LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
46 |
6492
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
47 #if (OPENSSL_VERSION_NUMBER >= 0x10100001L) |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
48 |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
49 #define ngx_ssl_version() OpenSSL_version(OPENSSL_VERSION) |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
50 |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
51 #else |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
52 |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
53 #define ngx_ssl_version() SSLeay_version(SSLEAY_VERSION) |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
54 |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
55 #endif |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
56 |
3b77efe05b92
SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
57 |
671 | 58 #define ngx_ssl_session_t SSL_SESSION |
59 #define ngx_ssl_conn_t SSL | |
60 | |
61 | |
6982
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
62 #if (OPENSSL_VERSION_NUMBER < 0x10002000L) |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
63 #define SSL_is_server(s) (s)->server |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
64 #endif |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
65 |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
66 |
6735
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6591
diff
changeset
|
67 struct ngx_ssl_s { |
547 | 68 SSL_CTX *ctx; |
69 ngx_log_t *log; | |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
70 size_t buffer_size; |
6735
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6591
diff
changeset
|
71 }; |
541 | 72 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
73 |
6735
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6591
diff
changeset
|
74 struct ngx_ssl_connection_s { |
671 | 75 ngx_ssl_conn_t *connection; |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5882
diff
changeset
|
76 SSL_CTX *session_ctx; |
647 | 77 |
547 | 78 ngx_int_t last; |
79 ngx_buf_t *buf; | |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
80 size_t buffer_size; |
547 | 81 |
82 ngx_connection_handler_pt handler; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
83 |
547 | 84 ngx_event_handler_pt saved_read_handler; |
85 ngx_event_handler_pt saved_write_handler; | |
479 | 86 |
547 | 87 unsigned handshaked:1; |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3154
diff
changeset
|
88 unsigned renegotiation:1; |
547 | 89 unsigned buffer:1; |
90 unsigned no_wait_shutdown:1; | |
91 unsigned no_send_shutdown:1; | |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5223
diff
changeset
|
92 unsigned handshake_buffer_set:1; |
6735
e38e9c50a40e
Modules compatibility: compatibility with NGX_HTTP_SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6591
diff
changeset
|
93 }; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
94 |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
95 |
2032 | 96 #define NGX_SSL_NO_SCACHE -2 |
97 #define NGX_SSL_NONE_SCACHE -3 | |
98 #define NGX_SSL_NO_BUILTIN_SCACHE -4 | |
99 #define NGX_SSL_DFLT_BUILTIN_SCACHE -5 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
100 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
101 |
1778 | 102 #define NGX_SSL_MAX_SESSION_SIZE 4096 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
103 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
974
diff
changeset
|
104 typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
105 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
974
diff
changeset
|
106 struct ngx_ssl_sess_id_s { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
107 ngx_rbtree_node_t node; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
108 u_char *id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
109 size_t len; |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
974
diff
changeset
|
110 u_char *session; |
1760 | 111 ngx_queue_t queue; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
112 time_t expire; |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
113 #if (NGX_PTR_SIZE == 8) |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
114 void *stub; |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
115 u_char sess_id[32]; |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
116 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
117 }; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
118 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
119 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
120 typedef struct { |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1017
diff
changeset
|
121 ngx_rbtree_t session_rbtree; |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1017
diff
changeset
|
122 ngx_rbtree_node_t sentinel; |
1760 | 123 ngx_queue_t expire_queue; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
124 } ngx_ssl_session_cache_t; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
125 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
126 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
127 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
128 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
129 typedef struct { |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6817
diff
changeset
|
130 size_t size; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
131 u_char name[16]; |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6817
diff
changeset
|
132 u_char hmac_key[32]; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6817
diff
changeset
|
133 u_char aes_key[32]; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
134 } ngx_ssl_session_ticket_key_t; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
135 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
136 #endif |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
137 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
138 |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
139 #define NGX_SSL_SSLv2 0x0002 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
140 #define NGX_SSL_SSLv3 0x0004 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
141 #define NGX_SSL_TLSv1 0x0008 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
142 #define NGX_SSL_TLSv1_1 0x0010 |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
143 #define NGX_SSL_TLSv1_2 0x0020 |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
144 #define NGX_SSL_TLSv1_3 0x0040 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
145 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
146 |
547 | 147 #define NGX_SSL_BUFFER 1 |
577 | 148 #define NGX_SSL_CLIENT 2 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
149 |
547 | 150 #define NGX_SSL_BUFSIZE 16384 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
151 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
152 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
153 ngx_int_t ngx_ssl_init(ngx_log_t *log); |
969 | 154 ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data); |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6548
diff
changeset
|
155 ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6548
diff
changeset
|
156 ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords); |
563 | 157 ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
158 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); |
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6550
diff
changeset
|
159 ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6550
diff
changeset
|
160 ngx_uint_t prefer_server_ciphers); |
647 | 161 ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
671 | 162 ngx_str_t *cert, ngx_int_t depth); |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
163 ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
164 ngx_str_t *cert, ngx_int_t depth); |
2995 | 165 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
166 ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
167 ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
168 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
169 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout); |
5223
71d85de7b53b
Style: replace SSL *ssl with ngx_ssl_conn_t *ssl_conn.
Piotr Sikora <piotr@cloudflare.com>
parents:
4884
diff
changeset
|
170 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, |
71d85de7b53b
Style: replace SSL *ssl with ngx_ssl_conn_t *ssl_conn.
Piotr Sikora <piotr@cloudflare.com>
parents:
4884
diff
changeset
|
171 int key_length); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
172 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); |
2044 | 173 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); |
3960 | 174 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
175 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
176 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
177 ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
178 ngx_array_t *paths); |
3992
a1dd9dc754ab
A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
179 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); |
547 | 180 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, |
543 | 181 ngx_uint_t flags); |
577 | 182 |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
183 void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); |
577 | 184 ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session); |
611 | 185 #define ngx_ssl_get_session(c) SSL_get1_session(c->ssl->connection) |
186 #define ngx_ssl_free_session SSL_SESSION_free | |
969 | 187 #define ngx_ssl_get_connection(ssl_conn) \ |
188 SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index) | |
189 #define ngx_ssl_get_server_conf(ssl_ctx) \ | |
190 SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index) | |
611 | 191 |
4884
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
192 #define ngx_ssl_verify_error_optional(n) \ |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
193 (n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT \ |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
194 || n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN \ |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
195 || n == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY \ |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
196 || n == X509_V_ERR_CERT_UNTRUSTED \ |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
197 || n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) |
e406c997470a
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
198 |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
199 ngx_int_t ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
200 |
611 | 201 |
671 | 202 ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, |
203 ngx_str_t *s); | |
204 ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, | |
205 ngx_str_t *s); | |
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
206 ngx_int_t ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool, |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
207 ngx_str_t *s); |
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
208 ngx_int_t ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
209 ngx_str_t *s); |
3154 | 210 ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, |
211 ngx_str_t *s); | |
5573
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5487
diff
changeset
|
212 ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5487
diff
changeset
|
213 ngx_str_t *s); |
5658
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
214 ngx_int_t ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
215 ngx_str_t *s); |
2123 | 216 ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
217 ngx_str_t *s); | |
2045 | 218 ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
219 ngx_str_t *s); | |
7091
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6982
diff
changeset
|
220 ngx_int_t ngx_ssl_get_escaped_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6982
diff
changeset
|
221 ngx_str_t *s); |
647 | 222 ngx_int_t ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, |
223 ngx_str_t *s); | |
224 ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, | |
225 ngx_str_t *s); | |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6735
diff
changeset
|
226 ngx_int_t ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6735
diff
changeset
|
227 ngx_str_t *s); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6735
diff
changeset
|
228 ngx_int_t ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6735
diff
changeset
|
229 ngx_str_t *s); |
671 | 230 ngx_int_t ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, |
231 ngx_str_t *s); | |
5700
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5661
diff
changeset
|
232 ngx_int_t ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5661
diff
changeset
|
233 ngx_str_t *s); |
2994 | 234 ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, |
235 ngx_str_t *s); | |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
236 ngx_int_t ngx_ssl_get_client_v_start(ngx_connection_t *c, ngx_pool_t *pool, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
237 ngx_str_t *s); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
238 ngx_int_t ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
239 ngx_str_t *s); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
240 ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
241 ngx_str_t *s); |
671 | 242 |
647 | 243 |
547 | 244 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); |
469 | 245 ssize_t ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size); |
539 | 246 ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size); |
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5777
diff
changeset
|
247 ssize_t ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
248 ngx_chain_t *ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, |
489 | 249 off_t limit); |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
250 void ngx_ssl_free_buffer(ngx_connection_t *c); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
251 ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c); |
583 | 252 void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, |
489 | 253 char *fmt, ...); |
509 | 254 void ngx_ssl_cleanup_ctx(void *data); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
255 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
256 |
969 | 257 extern int ngx_ssl_connection_index; |
258 extern int ngx_ssl_server_conf_index; | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
259 extern int ngx_ssl_session_cache_index; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5395
diff
changeset
|
260 extern int ngx_ssl_session_ticket_keys_index; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
261 extern int ngx_ssl_certificate_index; |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6492
diff
changeset
|
262 extern int ngx_ssl_next_certificate_index; |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
263 extern int ngx_ssl_certificate_name_index; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4873
diff
changeset
|
264 extern int ngx_ssl_stapling_index; |
671 | 265 |
266 | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
267 #endif /* _NGX_EVENT_OPENSSL_H_INCLUDED_ */ |