/* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /* * * @author Mladen Turk * @version $Revision: 466585 $, $Date: 2006-10-22 00:16:34 +0200 (Sun, 22 Oct 2006) $ */ #ifndef SSL_PRIVATE_H #define SSL_PRIVATE_H /* Exclude unused OpenSSL features * even if the OpenSSL supports them */ #ifndef OPENSSL_NO_IDEA #define OPENSSL_NO_IDEA #endif #ifndef OPENSSL_NO_KRB5 #define OPENSSL_NO_KRB5 #endif #ifndef OPENSSL_NO_MDC2 #define OPENSSL_NO_MDC2 #endif #ifndef OPENSSL_NO_RC5 #define OPENSSL_NO_RC5 #endif /* OpenSSL headers */ #include #include #include #include #include #include #include #include #include /* Avoid tripping over an engine build installed globally and detected * when the user points at an explicit non-engine flavor of OpenSSL */ #ifndef OPENSSL_NO_ENGINE #include #endif #ifndef RAND_MAX #include #define RAND_MAX INT_MAX #endif #define SSL_ALGO_UNKNOWN (0) #define SSL_ALGO_RSA (1<<0) #define SSL_ALGO_DSA (1<<1) #define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA) #define SSL_AIDX_RSA (0) #define SSL_AIDX_DSA (1) #define SSL_AIDX_MAX (2) /* * Define IDs for the temporary RSA keys and DH params */ #define SSL_TMP_KEY_RSA_512 (0) #define SSL_TMP_KEY_RSA_1024 (1) #define SSL_TMP_KEY_RSA_2048 (2) #define SSL_TMP_KEY_RSA_4096 (3) #define SSL_TMP_KEY_DH_512 (4) #define SSL_TMP_KEY_DH_1024 (5) #define SSL_TMP_KEY_DH_2048 (6) #define SSL_TMP_KEY_DH_4096 (7) #define SSL_TMP_KEY_MAX (8) #define SSL_CRT_FORMAT_UNDEF (0) #define SSL_CRT_FORMAT_ASN1 (1) #define SSL_CRT_FORMAT_TEXT (2) #define SSL_CRT_FORMAT_PEM (3) #define SSL_CRT_FORMAT_NETSCAPE (4) #define SSL_CRT_FORMAT_PKCS12 (5) #define SSL_CRT_FORMAT_SMIME (6) #define SSL_CRT_FORMAT_ENGINE (7) /* XXX this stupid macro helps us to avoid * adding yet another param to load_*key() */ #define SSL_KEY_FORMAT_IISSGC (8) /* * Define the SSL options */ #define SSL_OPT_NONE (0) #define SSL_OPT_RELSET (1<<0) #define SSL_OPT_STDENVVARS (1<<1) #define SSL_OPT_EXPORTCERTDATA (1<<3) #define SSL_OPT_FAKEBASICAUTH (1<<4) #define SSL_OPT_STRICTREQUIRE (1<<5) #define SSL_OPT_OPTRENEGOTIATE (1<<6) #define SSL_OPT_ALL (SSL_OPT_STDENVVARS|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE) /* * Define the SSL Protocol options */ #define SSL_PROTOCOL_NONE (0) #define SSL_PROTOCOL_SSLV2 (1<<0) #define SSL_PROTOCOL_SSLV3 (1<<1) #define SSL_PROTOCOL_TLSV1 (1<<2) #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1) #define SSL_MODE_CLIENT (0) #define SSL_MODE_SERVER (1) #define SSL_MODE_COMBINED (2) #define SSL_BIO_FLAG_RDONLY (1<<0) #define SSL_BIO_FLAG_CALLBACK (1<<1) #define SSL_DEFAULT_CACHE_SIZE (256) #define SSL_DEFAULT_VHOST_NAME ("_default_:443") #define SSL_MAX_STR_LEN (2048) #define SSL_MAX_PASSWORD_LEN (256) #define SSL_CVERIFY_UNSET (-1) #define SSL_CVERIFY_NONE (0) #define SSL_CVERIFY_OPTIONAL (1) #define SSL_CVERIFY_REQUIRE (2) #define SSL_CVERIFY_OPTIONAL_NO_CA (3) #define SSL_VERIFY_PEER_STRICT (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT) #define SSL_SHUTDOWN_TYPE_UNSET (0) #define SSL_SHUTDOWN_TYPE_STANDARD (1) #define SSL_SHUTDOWN_TYPE_UNCLEAN (2) #define SSL_SHUTDOWN_TYPE_ACCURATE (3) #define SSL_TO_APR_ERROR(X) (APR_OS_START_USERERR + 1000 + X) #define SSL_INFO_SESSION_ID (0x0001) #define SSL_INFO_CIPHER (0x0002) #define SSL_INFO_CIPHER_USEKEYSIZE (0x0003) #define SSL_INFO_CIPHER_ALGKEYSIZE (0x0004) #define SSL_INFO_CIPHER_VERSION (0x0005) #define SSL_INFO_CIPHER_DESCRIPTION (0x0006) #define SSL_INFO_PROTOCOL (0x0007) #define SSL_INFO_CLIENT_S_DN (0x0010) #define SSL_INFO_CLIENT_I_DN (0x0020) #define SSL_INFO_SERVER_S_DN (0x0040) #define SSL_INFO_SERVER_I_DN (0x0080) #define SSL_INFO_DN_COUNTRYNAME (0x0001) #define SSL_INFO_DN_STATEORPROVINCENAME (0x0002) #define SSL_INFO_DN_LOCALITYNAME (0x0003) #define SSL_INFO_DN_ORGANIZATIONNAME (0x0004) #define SSL_INFO_DN_ORGANIZATIONALUNITNAME (0x0005) #define SSL_INFO_DN_COMMONNAME (0x0006) #define SSL_INFO_DN_TITLE (0x0007) #define SSL_INFO_DN_INITIALS (0x0008) #define SSL_INFO_DN_GIVENNAME (0x0009) #define SSL_INFO_DN_SURNAME (0x000A) #define SSL_INFO_DN_DESCRIPTION (0x000B) #define SSL_INFO_DN_UNIQUEIDENTIFIER (0x000C) #define SSL_INFO_DN_EMAILADDRESS (0x000D) #define SSL_INFO_CLIENT_MASK (0x0100) #define SSL_INFO_CLIENT_M_VERSION (0x0101) #define SSL_INFO_CLIENT_M_SERIAL (0x0102) #define SSL_INFO_CLIENT_V_START (0x0103) #define SSL_INFO_CLIENT_V_END (0x0104) #define SSL_INFO_CLIENT_A_SIG (0x0105) #define SSL_INFO_CLIENT_A_KEY (0x0106) #define SSL_INFO_CLIENT_CERT (0x0107) #define SSL_INFO_CLIENT_V_REMAIN (0x0108) #define SSL_INFO_SERVER_MASK (0x0200) #define SSL_INFO_SERVER_M_VERSION (0x0201) #define SSL_INFO_SERVER_M_SERIAL (0x0202) #define SSL_INFO_SERVER_V_START (0x0203) #define SSL_INFO_SERVER_V_END (0x0204) #define SSL_INFO_SERVER_A_SIG (0x0205) #define SSL_INFO_SERVER_A_KEY (0x0206) #define SSL_INFO_SERVER_CERT (0x0207) #define SSL_INFO_CLIENT_CERT_CHAIN (0x0400) #define SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) \ ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \ || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \ || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \ || (errnum == X509_V_ERR_CERT_UNTRUSTED) \ || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) #define SSL_DEFAULT_PASS_PROMPT "Some of your private key files are encrypted for security reasons.\n" \ "In order to read them you have to provide the pass phrases.\n" \ "Enter password :" extern void *SSL_temp_keys[SSL_TMP_KEY_MAX]; typedef struct { /* client can have any number of cert/key pairs */ const char *cert_file; const char *cert_path; STACK_OF(X509_INFO) *certs; } ssl_pkc_t; typedef struct tcn_ssl_ctxt_t tcn_ssl_ctxt_t; typedef struct { char password[SSL_MAX_PASSWORD_LEN]; const char *prompt; tcn_callback_t cb; } tcn_pass_cb_t; extern tcn_pass_cb_t tcn_password_callback; struct tcn_ssl_ctxt_t { apr_pool_t *pool; SSL_CTX *ctx; BIO *bio_os; BIO *bio_is; unsigned char context_id[MD5_DIGEST_LENGTH]; int protocol; /* we are one or the other */ int mode; /* certificate revocation list */ X509_STORE *crl; /* pointer to the context verify store */ X509_STORE *store; const char *cert_files[SSL_AIDX_MAX]; const char *key_files[SSL_AIDX_MAX]; X509 *certs[SSL_AIDX_MAX]; EVP_PKEY *keys[SSL_AIDX_MAX]; int ca_certs; int shutdown_type; char *rand_file; const char *cipher_suite; /* for client or downstream server authentication */ int verify_depth; int verify_mode; tcn_pass_cb_t *cb_data; }; typedef struct { apr_pool_t *pool; tcn_ssl_ctxt_t *ctx; SSL *ssl; X509 *peer; int shutdown_type; apr_socket_t *sock; apr_pollset_t *pollset; } tcn_ssl_conn_t; #define SSL_CTX_get_extra_certs(ctx) ((ctx)->extra_certs) #define SSL_CTX_set_extra_certs(ctx, value) \ TCN_BEGIN_MACRO \ (ctx)->extra_certs = (value); \ TCN_END_MACRO /* * Additional Functions */ void SSL_init_app_data2_idx(void); void *SSL_get_app_data2(SSL *); void SSL_set_app_data2(SSL *, void *); int SSL_password_prompt(tcn_pass_cb_t *); int SSL_password_callback(char *, int, int, void *); void SSL_BIO_close(BIO *); void SSL_BIO_doref(BIO *); DH *SSL_dh_get_tmp_param(int); DH *SSL_dh_get_param_from_file(const char *); RSA *SSL_callback_tmp_RSA(SSL *, int, int); DH *SSL_callback_tmp_DH(SSL *, int, int); void SSL_vhost_algo_id(const unsigned char *, unsigned char *, int); int SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, int); int SSL_callback_SSL_verify(int, X509_STORE_CTX *); int SSL_rand_seed(const char *file); #endif /* SSL_PRIVATE_H */