2012-05-18 13:47:34 +00:00
|
|
|
/*
|
|
|
|
* include/proto/ssl_sock.h
|
|
|
|
* This file contains definition for ssl stream socket operations
|
|
|
|
*
|
|
|
|
* Copyright (C) 2012 EXCELIANCE, Emeric Brun <ebrun@exceliance.fr>
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation, version 2.1
|
|
|
|
* exclusively.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _PROTO_SSL_SOCK_H
|
|
|
|
#define _PROTO_SSL_SOCK_H
|
2012-09-07 15:30:07 +00:00
|
|
|
#include <openssl/ssl.h>
|
2012-05-18 13:47:34 +00:00
|
|
|
|
2012-09-12 20:58:11 +00:00
|
|
|
#include <types/connection.h>
|
|
|
|
#include <types/listener.h>
|
|
|
|
#include <types/proxy.h>
|
2012-05-18 13:47:34 +00:00
|
|
|
#include <types/stream_interface.h>
|
|
|
|
|
2014-01-28 14:19:44 +00:00
|
|
|
extern int sslconns;
|
|
|
|
extern int totalsslconns;
|
|
|
|
|
2014-05-09 03:42:08 +00:00
|
|
|
/* boolean, returns true if connection is over SSL */
|
|
|
|
static inline
|
|
|
|
int ssl_sock_is_ssl(struct connection *conn)
|
|
|
|
{
|
2016-12-22 20:08:52 +00:00
|
|
|
if (!conn || conn->xprt != xprt_get(XPRT_SSL) || !conn->xprt_ctx)
|
2014-05-09 03:42:08 +00:00
|
|
|
return 0;
|
|
|
|
else
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2012-05-18 13:47:34 +00:00
|
|
|
int ssl_sock_handshake(struct connection *conn, unsigned int flag);
|
2016-12-29 17:26:15 +00:00
|
|
|
int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *, SSL_CTX *ctx);
|
2016-12-22 16:08:28 +00:00
|
|
|
int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf);
|
2016-12-21 22:38:39 +00:00
|
|
|
int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf);
|
2016-12-22 16:08:28 +00:00
|
|
|
int ssl_sock_prepare_srv_ctx(struct server *srv);
|
2015-07-29 11:02:40 +00:00
|
|
|
void ssl_sock_free_srv_ctx(struct server *srv);
|
2012-09-13 15:54:29 +00:00
|
|
|
void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);
|
2016-12-22 16:08:28 +00:00
|
|
|
int ssl_sock_load_ca(struct bind_conf *bind_conf);
|
2015-06-09 15:29:50 +00:00
|
|
|
void ssl_sock_free_ca(struct bind_conf *bind_conf);
|
2018-02-01 17:29:59 +00:00
|
|
|
const char *ssl_sock_get_sni(struct connection *conn);
|
2017-11-02 13:05:23 +00:00
|
|
|
const char *ssl_sock_get_cert_sig(struct connection *conn);
|
2012-10-12 18:17:54 +00:00
|
|
|
const char *ssl_sock_get_cipher_name(struct connection *conn);
|
|
|
|
const char *ssl_sock_get_proto_version(struct connection *conn);
|
2018-12-21 18:45:40 +00:00
|
|
|
void ssl_sock_set_alpn(struct connection *conn, const unsigned char *, int);
|
2015-07-10 09:33:32 +00:00
|
|
|
void ssl_sock_set_servername(struct connection *conn, const char *hostname);
|
2018-12-21 18:45:40 +00:00
|
|
|
|
2014-07-30 14:39:13 +00:00
|
|
|
int ssl_sock_get_cert_used_sess(struct connection *conn);
|
|
|
|
int ssl_sock_get_cert_used_conn(struct connection *conn);
|
2018-07-13 09:56:34 +00:00
|
|
|
int ssl_sock_get_remote_common_name(struct connection *conn,
|
|
|
|
struct buffer *out);
|
|
|
|
int ssl_sock_get_pkey_algo(struct connection *conn, struct buffer *out);
|
2014-05-09 03:42:08 +00:00
|
|
|
unsigned int ssl_sock_get_verify_result(struct connection *conn);
|
2014-12-09 15:32:51 +00:00
|
|
|
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
|
2018-07-13 09:56:34 +00:00
|
|
|
int ssl_sock_update_ocsp_response(struct buffer *ocsp_response, char **err);
|
2014-06-16 16:36:30 +00:00
|
|
|
#endif
|
2015-05-09 06:46:01 +00:00
|
|
|
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
|
2019-01-10 16:51:55 +00:00
|
|
|
int ssl_sock_update_tlskey_ref(struct tls_keys_ref *ref,
|
2018-07-13 09:56:34 +00:00
|
|
|
struct buffer *tlskey);
|
|
|
|
int ssl_sock_update_tlskey(char *filename, struct buffer *tlskey, char **err);
|
2015-05-09 06:46:01 +00:00
|
|
|
struct tls_keys_ref *tlskeys_ref_lookup(const char *filename);
|
|
|
|
struct tls_keys_ref *tlskeys_ref_lookupid(int unique_id);
|
|
|
|
#endif
|
2015-05-29 13:53:22 +00:00
|
|
|
#ifndef OPENSSL_NO_DH
|
|
|
|
int ssl_sock_load_global_dh_param_from_file(const char *filename);
|
2017-01-21 01:10:18 +00:00
|
|
|
void ssl_free_dh(void);
|
2015-05-29 13:53:22 +00:00
|
|
|
#endif
|
2017-01-21 01:10:18 +00:00
|
|
|
void ssl_free_engines(void);
|
2012-05-18 13:47:34 +00:00
|
|
|
|
2015-11-12 10:35:51 +00:00
|
|
|
SSL_CTX *ssl_sock_create_cert(struct connection *conn, const char *servername, unsigned int key);
|
2017-06-15 14:37:39 +00:00
|
|
|
SSL_CTX *ssl_sock_assign_generated_cert(unsigned int key, struct bind_conf *bind_conf, SSL *ssl);
|
2015-11-12 10:35:51 +00:00
|
|
|
SSL_CTX *ssl_sock_get_generated_cert(unsigned int key, struct bind_conf *bind_conf);
|
|
|
|
int ssl_sock_set_generated_cert(SSL_CTX *ctx, unsigned int key, struct bind_conf *bind_conf);
|
|
|
|
unsigned int ssl_sock_generated_cert_key(const void *data, size_t len);
|
2015-06-11 11:39:32 +00:00
|
|
|
|
2019-05-05 18:27:54 +00:00
|
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
|
2019-04-19 15:15:28 +00:00
|
|
|
void ssl_async_fd_handler(int fd);
|
|
|
|
void ssl_async_fd_free(int fd);
|
|
|
|
#endif
|
2017-10-30 18:36:36 +00:00
|
|
|
|
|
|
|
/* ssl shctx macro */
|
|
|
|
|
MEDIUM: shctx: separate ssl and shctx
This patch reorganize the shctx API in a generic storage API, separating
the shared SSL session handling from its core.
The shctx API only handles the generic data part, it does not know what
kind of data you use with it.
A shared_context is a storage structure allocated in a shared memory,
allowing its usage in a multithread or a multiprocess context.
The structure use 2 linked list, one containing the available blocks,
and another for the hot locked blocks. At initialization the available
list is filled with <maxblocks> blocks of size <blocksize>. An <extra>
space is initialized outside the list in case you need some specific
storage.
+-----------------------+--------+--------+--------+--------+----
| struct shared_context | extra | block1 | block2 | block3 | ...
+-----------------------+--------+--------+--------+--------+----
<-------- maxblocks --------->
* blocksize
The API allows to store content on several linked blocks. For example,
if you allocated blocks of 16 bytes, and you want to store an object of
60 bytes, the object will be allocated in a row of 4 blocks.
The API was made for LRU usage, each time you get an object, it pushes
the object at the end of the list. When it needs more space, it discards
The functions name have been renamed in a more logical way, the part
regarding shctx have been prefixed by shctx_ and the functions for the
shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 19:08:51 +00:00
|
|
|
#define sh_ssl_sess_tree_delete(s) ebmb_delete(&(s)->key);
|
2017-10-30 18:36:36 +00:00
|
|
|
|
MEDIUM: shctx: separate ssl and shctx
This patch reorganize the shctx API in a generic storage API, separating
the shared SSL session handling from its core.
The shctx API only handles the generic data part, it does not know what
kind of data you use with it.
A shared_context is a storage structure allocated in a shared memory,
allowing its usage in a multithread or a multiprocess context.
The structure use 2 linked list, one containing the available blocks,
and another for the hot locked blocks. At initialization the available
list is filled with <maxblocks> blocks of size <blocksize>. An <extra>
space is initialized outside the list in case you need some specific
storage.
+-----------------------+--------+--------+--------+--------+----
| struct shared_context | extra | block1 | block2 | block3 | ...
+-----------------------+--------+--------+--------+--------+----
<-------- maxblocks --------->
* blocksize
The API allows to store content on several linked blocks. For example,
if you allocated blocks of 16 bytes, and you want to store an object of
60 bytes, the object will be allocated in a row of 4 blocks.
The API was made for LRU usage, each time you get an object, it pushes
the object at the end of the list. When it needs more space, it discards
The functions name have been renamed in a more logical way, the part
regarding shctx have been prefixed by shctx_ and the functions for the
shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 19:08:51 +00:00
|
|
|
#define sh_ssl_sess_tree_insert(s) (struct sh_ssl_sess_hdr *)ebmb_insert(sh_ssl_sess_tree, \
|
|
|
|
&(s)->key, SSL_MAX_SSL_SESSION_ID_LENGTH);
|
2017-10-30 18:36:36 +00:00
|
|
|
|
MEDIUM: shctx: separate ssl and shctx
This patch reorganize the shctx API in a generic storage API, separating
the shared SSL session handling from its core.
The shctx API only handles the generic data part, it does not know what
kind of data you use with it.
A shared_context is a storage structure allocated in a shared memory,
allowing its usage in a multithread or a multiprocess context.
The structure use 2 linked list, one containing the available blocks,
and another for the hot locked blocks. At initialization the available
list is filled with <maxblocks> blocks of size <blocksize>. An <extra>
space is initialized outside the list in case you need some specific
storage.
+-----------------------+--------+--------+--------+--------+----
| struct shared_context | extra | block1 | block2 | block3 | ...
+-----------------------+--------+--------+--------+--------+----
<-------- maxblocks --------->
* blocksize
The API allows to store content on several linked blocks. For example,
if you allocated blocks of 16 bytes, and you want to store an object of
60 bytes, the object will be allocated in a row of 4 blocks.
The API was made for LRU usage, each time you get an object, it pushes
the object at the end of the list. When it needs more space, it discards
The functions name have been renamed in a more logical way, the part
regarding shctx have been prefixed by shctx_ and the functions for the
shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 19:08:51 +00:00
|
|
|
#define sh_ssl_sess_tree_lookup(k) (struct sh_ssl_sess_hdr *)ebmb_lookup(sh_ssl_sess_tree, \
|
|
|
|
(k), SSL_MAX_SSL_SESSION_ID_LENGTH);
|
2012-05-18 13:47:34 +00:00
|
|
|
#endif /* _PROTO_SSL_SOCK_H */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Local variables:
|
|
|
|
* c-indent-level: 8
|
|
|
|
* c-basic-offset: 8
|
|
|
|
* End:
|
|
|
|
*/
|