mod_ssl-private.h
Go to the documentation of this file.
00001 /*
00002    Copyright (c) 2003-8, Andrew McNab, University of Manchester
00003    All rights reserved.
00004 
00005    Redistribution and use in source and binary forms, with or
00006    without modification, are permitted provided that the following
00007    conditions are met:
00008 
00009      o Redistributions of source code must retain the above
00010        copyright notice, this list of conditions and the following
00011        disclaimer. 
00012      o Redistributions in binary form must reproduce the above
00013        copyright notice, this list of conditions and the following
00014        disclaimer in the documentation and/or other materials
00015        provided with the distribution. 
00016 
00017    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
00018    CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
00019    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
00020    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
00021    DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
00022    BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
00023    EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
00024    TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
00025    DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
00026    ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
00027    OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
00028    OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
00029    POSSIBILITY OF SUCH DAMAGE.
00030 */
00031 
00032 /*
00033 
00034  Portions of this code are derived from Apache mod_ssl, and are covered
00035  by the Apache Software License:
00036 
00037  * Copyright 2001-2004 The Apache Software Foundation
00038  *
00039  * Licensed under the Apache License, Version 2.0 (the "License");
00040  * you may not use this file except in compliance with the License.
00041  * You may obtain a copy of the License at
00042  *
00043  *     http://www.apache.org/licenses/LICENSE-2.0
00044  *
00045  * Unless required by applicable law or agreed to in writing, software
00046  * distributed under the License is distributed on an "AS IS" BASIS,
00047  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00048  * See the License for the specific language governing permissions and
00049  * limitations under the License.
00050  */
00051 
00052 /*
00053    This work has been partially funded by the EU Commission (contract 
00054    INFSO-RI-222667) under the EGEE-III collaboration.
00055 */
00056 
00057 /*------------------------------------------------------------------*
00058  * This program is part of GridSite: http://www.gridsite.org/       *
00059  *------------------------------------------------------------------*/
00060 
00061 
00062 /*
00063  * After 2.0.49, Apache mod_ssl has most of the mod_ssl structures defined
00064  * in ssl_private.h, which is not installed along with httpd-devel (eg in
00065  * the FC2 RPM.) This include file provides SIMPLIFIED structures for use
00066  * by mod_gridsite: for example, pointers to unused structures are replaced
00067  * by  void *  and some of the structures are truncated when only the early
00068  * members are used.
00069  *
00070  * CLEARLY, THIS WILL BREAK IF THERE ARE MAJOR CHANGES TO ssl_private.h!!!
00071  */
00072 
00073 #include <openssl/ssl.h>
00074 
00075 #ifndef BOOL
00076 #define BOOL unsigned int
00077 #endif
00078 
00079 typedef enum {
00080     SSL_SHUTDOWN_TYPE_UNSET,
00081     SSL_SHUTDOWN_TYPE_STANDARD,
00082     SSL_SHUTDOWN_TYPE_UNCLEAN,
00083     SSL_SHUTDOWN_TYPE_ACCURATE
00084 } ssl_shutdown_type_e;
00085 
00086 typedef enum {
00087     SSL_ENABLED_UNSET    = -1,
00088     SSL_ENABLED_FALSE    = 0,
00089     SSL_ENABLED_TRUE     = 1,
00090     SSL_ENABLED_OPTIONAL = 3
00091 } ssl_enabled_t;
00092 
00093 #if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
00094 typedef enum {
00095     SSL_CVERIFY_UNSET           = -1,
00096     SSL_CVERIFY_NONE            = 0,
00097     SSL_CVERIFY_OPTIONAL        = 1,
00098     SSL_CVERIFY_REQUIRE         = 2,
00099     SSL_CVERIFY_OPTIONAL_NO_CA  = 3
00100 } ssl_verify_t;
00101 
00102 #define ssl_verify_error_is_optional(errnum) \
00103    ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
00104     || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
00105     || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
00106     || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
00107     || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
00108 
00109 #endif
00110 
00111 typedef struct {
00112   SSL *ssl;
00113   const char *client_dn;
00114   X509 *client_cert;
00115   ssl_shutdown_type_e shutdown_type;
00116   const char *verify_info;
00117   const char *verify_error;
00118   int verify_depth;
00119   int is_proxy;
00120   int disabled;
00121   int non_ssl_request;
00122 } SSLConnRec;
00123 
00124 #if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
00125 typedef struct {
00126     const char  *ca_cert_path;
00127     const char  *ca_cert_file;
00128 
00129     const char  *cipher_suite;
00130 
00131     int          verify_depth;
00132     ssl_verify_t verify_mode;
00133 } modssl_auth_ctx_t;
00134 #endif
00135 
00136 typedef struct {
00137   void    *sc; /* pointer back to server config */
00138   SSL_CTX *ssl_ctx;
00139 #if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
00140   void *pks;
00141   void *pkp;
00142 
00143   int  protocol;
00144 
00145   int           pphrase_dialog_type;
00146   const char   *pphrase_dialog_path;
00147 
00148   const char  *cert_chain;
00149 
00150   const char  *crl_path;
00151   const char  *crl_file;
00152   X509_STORE  *crl;
00153 
00154   modssl_auth_ctx_t auth;
00155 #endif
00156 } modssl_ctx_t;
00157 
00158 /* original SSLSrvConfigRec */
00159 typedef struct {
00160   void            *mc;
00161   BOOL             enabled;
00162   BOOL             proxy_enabled;
00163   const char      *vhost_id;
00164   int              vhost_id_len;
00165   int              session_cache_timeout;
00166 #if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
00167   BOOL             cipher_server_pref;
00168 #endif
00169   modssl_ctx_t    *server;
00170   modssl_ctx_t    *proxy;
00171 } SSLSrvConfigRec;
00172 
00173 /* SSLSrvConfigRec after mod_ssl patch for CVE-2009-3555 */
00174 typedef struct {
00175   void            *mc;
00176   unsigned int     enabled;
00177   unsigned int     proxy_enabled;
00178   const char      *vhost_id;
00179   int              vhost_id_len;
00180   int              session_cache_timeout;
00181 #if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
00182   BOOL             cipher_server_pref;
00183 #endif
00184   /* this is the member that was added */
00185   int              insecure_reneg;
00186   modssl_ctx_t    *server;
00187   modssl_ctx_t    *proxy;
00188 } SSLSrvConfigRec2;
00189 
00190 /* The server and proxy members of SSLSrvConfigRec must only be accessed
00191    using these macros: */
00192 #define SSLSrvConfigRec_server(sc) (mod_ssl_with_insecure_reneg ? (((SSLSrvConfigRec2 *) sc)->server) : (((SSLSrvConfigRec *) sc)->server))
00193 #define SSLSrvConfigRec_proxy(sc) (mod_ssl_with_insecure_reneg ? (((SSLSrvConfigRec2 *) sc)->proxy) : (((SSLSrvConfigRec *) sc)->proxy))
00194 
00195 #if AP_MODULE_MAGIC_AT_LEAST(20051115,0)
00196 typedef struct {
00197     BOOL          bSSLRequired;
00198     apr_array_header_t *aRequirement;
00199     int           nOptions;
00200     int           nOptionsAdd;
00201     int           nOptionsDel;
00202     const char   *szCipherSuite;
00203     ssl_verify_t  nVerifyClient;
00204     int           nVerifyDepth;
00205     const char   *szCACertificatePath;
00206     const char   *szCACertificateFile;
00207     const char   *szUserName;
00208 } SSLDirConfigRec;
00209 #endif
00210 
00211 extern module AP_MODULE_DECLARE_DATA ssl_module;