mod_ssl.h

mod_ssl-2.8.31-1.3.41.tar.gz 好用的ssl工具

/*                      _             _
**  _ __ ___   ___   __| |    ___ ___| |  mod_ssl
** | '_ ` _ \ / _ \ / _` |   / __/ __| |  Apache Interface to OpenSSL
** | | | | | | (_) | (_| |   \__ \__ \ |  www.modssl.org
** |_| |_| |_|\___/ \__,_|___|___/___/_|  ftp.modssl.org
**                      |_____|
**  mod_ssl.h
**  Global header
*/

/* ====================================================================
 * Copyright (c) 1998-2006 Ralf S. Engelschall. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following
 *    disclaimer in the documentation and/or other materials
 *    provided with the distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by
 *     Ralf S. Engelschall <rse@engelschall.com> for use in the
 *     mod_ssl project (http://www.modssl.org/)."
 *
 * 4. The names "mod_ssl" must not be used to endorse or promote
 *    products derived from this software without prior written
 *    permission. For written permission, please contact
 *    rse@engelschall.com.
 *
 * 5. Products derived from this software may not be called "mod_ssl"
 *    nor may "mod_ssl" appear in their names without prior
 *    written permission of Ralf S. Engelschall.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by
 *     Ralf S. Engelschall <rse@engelschall.com> for use in the
 *     mod_ssl project (http://www.modssl.org/)."
 *
 * THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL RALF S. ENGELSCHALL OR
 * HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 */
                             /* ``The Apache Group: a collection
                                  of talented individuals who are
                                  trying to perfect the art of
                                  never finishing something.''
                                             -- Rob Hartill         */
#ifndef MOD_SSL_H
#define MOD_SSL_H 1

/* 
 * Check whether Extended API (EAPI) is enabled
 */
#ifndef EAPI
#error "mod_ssl requires Extended API (EAPI)"
#endif

/* 
 * Optionally enable the experimental stuff, but allow the user to
 * override the decision which experimental parts are included by using
 * CFLAGS="-DSSL_EXPERIMENTAL_xxxx_IGNORE".
 */
#ifdef SSL_EXPERIMENTAL
#ifndef SSL_EXPERIMENTAL_PERDIRCA_IGNORE
#define SSL_EXPERIMENTAL_PERDIRCA
#endif
#ifndef SSL_EXPERIMENTAL_PROXY_IGNORE
#define SSL_EXPERIMENTAL_PROXY
#endif
#ifdef SSL_ENGINE
#ifndef SSL_EXPERIMENTAL_ENGINE_IGNORE
#define SSL_EXPERIMENTAL_ENGINE
#endif
#endif
#endif /* SSL_EXPERIMENTAL */

/*
 * Power up our brain...
 */

/* OS headers */
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <time.h>
#ifndef WIN32
#include <sys/time.h>
#endif
#ifdef WIN32
#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
#endif
#include <windows.h>
#include <wincrypt.h>
#include <winsock2.h>
#endif

/* OpenSSL headers */
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pem.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#ifdef SSL_EXPERIMENTAL_ENGINE
#include <openssl/engine.h>
#endif

/* Apache headers */
#define CORE_PRIVATE
#include "ap_config.h"
#include "httpd.h"
#include "http_config.h"
#include "http_conf_globals.h"
#include "http_protocol.h"
#include "http_request.h"
#include "http_main.h"
#include "http_core.h"
#include "http_log.h"
#include "scoreboard.h"
#include "util_md5.h"
#include "fnmatch.h"
#undef CORE_PRIVATE

/* mod_ssl headers */
#include "ssl_expr.h"
#include "ssl_util_ssl.h"
#include "ssl_util_table.h"

/*
 * Provide reasonable default for some defines
 */
#ifndef FALSE
#define FALSE (0)
#endif
#ifndef TRUE
#define TRUE (!FALSE)
#endif
#ifndef PFALSE
#define PFALSE ((void *)FALSE)
#endif
#ifndef PTRUE
#define PTRUE ((void *)TRUE)
#endif
#ifndef UNSET
#define UNSET (-1)
#endif
#ifndef NUL
#define NUL '\0'
#endif
#ifndef RAND_MAX
#include <limits.h>
#define RAND_MAX INT_MAX
#endif

/*
 * Provide reasonable defines for some types
 */
#ifndef BOOL
#define BOOL unsigned int
#endif
#ifndef UCHAR
#define UCHAR unsigned char
#endif

/*
 * Provide useful shorthands
 */
#define strEQ(s1,s2)     (strcmp(s1,s2)        == 0)
#define strNE(s1,s2)     (strcmp(s1,s2)        != 0)
#define strEQn(s1,s2,n)  (strncmp(s1,s2,n)     == 0)
#define strNEn(s1,s2,n)  (strncmp(s1,s2,n)     != 0)

#define strcEQ(s1,s2)    (strcasecmp(s1,s2)    == 0)
#define strcNE(s1,s2)    (strcasecmp(s1,s2)    != 0)
#define strcEQn(s1,s2,n) (strncasecmp(s1,s2,n) == 0)
#define strcNEn(s1,s2,n) (strncasecmp(s1,s2,n) != 0)

#define strIsEmpty(s)    (s == NULL || s[0] == NUL)

#define cfgMerge(el,unset)  new->el = add->el == unset ? base->el : add->el
#define cfgMergeArray(el)   new->el = ap_append_arrays(p, add->el, base->el)
#define cfgMergeTable(el)   new->el = ap_overlay_tables(p, add->el, base->el)
#define cfgMergeCtx(el)     new->el = ap_ctx_overlay(p, add->el, base->el)
#define cfgMergeString(el)  cfgMerge(el, NULL)
#define cfgMergeBool(el)    cfgMerge(el, UNSET)
#define cfgMergeInt(el)     cfgMerge(el, UNSET)

#define myModConfig()    (SSLModConfigRec *)ap_ctx_get(ap_global_ctx, "ssl_module")
#define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config,  &ssl_module)
#define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module)

#define myCtxVarSet(mc,num,val)  mc->rCtx.pV##num = val
#define myCtxVarGet(mc,num,type) (type)(mc->rCtx.pV##num)

#define AP_ALL_CMD(name, args, desc) \
        { "SSL"#name, ssl_cmd_SSL##name, NULL, RSRC_CONF|OR_AUTHCFG, args, desc },
#define AP_SRV_CMD(name, args, desc) \
        { "SSL"#name, ssl_cmd_SSL##name, NULL, RSRC_CONF, args, desc },
#define AP_DIR_CMD(name, type, args, desc) \
        { "SSL"#name, ssl_cmd_SSL##name, NULL, OR_##type, args, desc },
#define AP_END_CMD \
        { NULL }

/*
 * SSL Logging
 */
#define SSL_LOG_NONE    (1<<0)
#define SSL_LOG_ERROR   (1<<1)
#define SSL_LOG_WARN    (1<<2)
#define SSL_LOG_INFO    (1<<3)
#define SSL_LOG_TRACE   (1<<4)
#define SSL_LOG_DEBUG   (1<<5)
#define SSL_LOG_MASK    (SSL_LOG_ERROR|SSL_LOG_WARN|SSL_LOG_INFO|SSL_LOG_TRACE|SSL_LOG_DEBUG)

#define SSL_ADD_NONE     (1<<8)
#define SSL_ADD_ERRNO    (1<<9)
#define SSL_ADD_SSLERR   (1<<10)
#define SSL_NO_TIMESTAMP (1<<11)
#define SSL_NO_LEVELID   (1<<12)
#define SSL_NO_NEWLINE   (1<<13)

/*
 * Defaults for the configuration
 */
#ifndef SSL_SESSION_CACHE_TIMEOUT
#define SSL_SESSION_CACHE_TIMEOUT  300
#endif

/*
 * Support for file locking: Try to determine whether we should use fcntl() or
 * flock().  Would be better ap_config.h could provide this... :-(
  */
#if defined(USE_FCNTL_SERIALIZED_ACCEPT)
#define SSL_USE_FCNTL 1
#include <fcntl.h>
#endif
#if defined(USE_FLOCK_SERIALIZED_ACCEPT)
#define SSL_USE_FLOCK 1
#include <sys/file.h>
#endif
#if !defined(SSL_USE_FCNTL) && !defined(SSL_USE_FLOCK)
#define SSL_USE_FLOCK 1
#if !defined(MPE) && !defined(WIN32)
#include <sys/file.h>
#endif
#ifndef LOCK_UN
#undef SSL_USE_FLOCK
#define SSL_USE_FCNTL 1
#include <fcntl.h>
#endif
#endif
#ifdef AIX
#undef SSL_USE_FLOCK
#define SSL_USE_FCNTL 1
#include <fcntl.h>
#endif

/*
 * Support for Mutex
 */
#ifndef WIN32
#define SSL_MUTEX_LOCK_MODE ( S_IRUSR|S_IWUSR )
#else
#define SSL_MUTEX_LOCK_MODE (_S_IREAD|_S_IWRITE )
#endif
#if defined(USE_SYSVSEM_SERIALIZED_ACCEPT) ||\
    (defined(__FreeBSD__) && defined(__FreeBSD_version) &&\
     __FreeBSD_version >= 300000) ||\
    (defined(LINUX) && defined(__GLIBC__) && defined(__GLIBC_MINOR__) &&\
     LINUX >= 2 && __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 1) ||\
    defined(SOLARIS2) || defined(__hpux) ||\
    (defined (__digital__) && defined (__unix__))
#define SSL_CAN_USE_SEM
#define SSL_HAVE_IPCSEM
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/sem.h>
/* 
 * Some platforms have a `union semun' pre-defined but Single Unix
 * Specification (SUSv2) says in semctl(2): `If required, it is of
 * type union semun, which the application program must explicitly
 * declare'. So we define it always ourself to avoid problems (but under
 * a different name to avoid a namespace clash).
 */
union ssl_ipc_semun {
    long val;
    struct semid_ds *buf;
    unsigned short int *array;
};
#endif
#ifdef WIN32
#define SSL_CAN_USE_SEM
#define SSL_HAVE_W32SEM
#include "multithread.h"
#include <process.h>
#endif

/*
 * Support for MM library
 */
#ifndef WIN32
#define SSL_MM_FILE_MODE ( S_IRUSR|S_IWUSR )
#else
#define SSL_MM_FILE_MODE ( _S_IREAD|_S_IWRITE )
#endif

/*
 * Support for DBM library
 */
#ifndef WIN32
#define SSL_DBM_FILE_MODE ( S_IRUSR|S_IWUSR )
#else
#define SSL_USE_SDBM
#define SSL_DBM_FILE_MODE ( _S_IREAD|_S_IWRITE )
#endif

#ifdef SSL_USE_SDBM
#include "ssl_util_sdbm.h"
#define ssl_dbm_open     sdbm_open
#define ssl_dbm_close    sdbm_close
#define ssl_dbm_store    sdbm_store
#define ssl_dbm_fetch    sdbm_fetch
#define ssl_dbm_delete   sdbm_delete
#define ssl_dbm_firstkey sdbm_firstkey
#define ssl_dbm_nextkey  sdbm_nextkey
#define SSL_DBM_FILE_SUFFIX_DIR ".dir"
#define SSL_DBM_FILE_SUFFIX_PAG ".pag"
#else /* !SSL_USE_SDBM */
#include <ndbm.h>
#define ssl_dbm_open     dbm_open
#define ssl_dbm_close    dbm_close
#define ssl_dbm_store    dbm_store
#define ssl_dbm_fetch    dbm_fetch
#define ssl_dbm_delete   dbm_delete
#define ssl_dbm_firstkey dbm_firstkey
#define ssl_dbm_nextkey  dbm_nextkey
#if !defined(SSL_DBM_FILE_SUFFIX_DIR) && !defined(SSL_DBM_FILE_SUFFIX_PAG)
#if defined(DBM_SUFFIX)
#define SSL_DBM_FILE_SUFFIX_DIR DBM_SUFFIX
#define SSL_DBM_FILE_SUFFIX_PAG DBM_SUFFIX
#elif defined(__FreeBSD__) || (defined(DB_LOCK) && defined(DB_SHMEM))
#define SSL_DBM_FILE_SUFFIX_DIR ".db"
#define SSL_DBM_FILE_SUFFIX_PAG ".db"
#else
#define SSL_DBM_FILE_SUFFIX_DIR ".dir"
#define SSL_DBM_FILE_SUFFIX_PAG ".pag"
#endif
#endif
#endif /* !SSL_USE_SDBM */

/*
 * Check for OpenSSL version 
 */
#if SSL_LIBRARY_VERSION < 0x00903100
#error "mod_ssl requires OpenSSL 0.9.3 or higher"
#endif

/*
 * The own data structures
 */
typedef struct {
    pool *pPool;
    pool *pSubPool;
    array_header *aData;
} ssl_ds_array;

typedef struct {
    pool *pPool;
    pool *pSubPool;
    array_header *aKey;
    array_header *aData;
} ssl_ds_table;

/*
 * Define the certificate algorithm types
 */

typedef int ssl_algo_t;

#define SSL_ALGO_UNKNOWN (0)
#define SSL_ALGO_RSA     (1<<0)
#define SSL_ALGO_DSA     (1<<1)
#define SSL_ALGO_ALL     (SSL_ALGO_RSA|SSL_ALGO_DSA)

#define SSL_AIDX_RSA     (0)
#define SSL_AIDX_DSA     (1)
#define SSL_AIDX_MAX     (2)

/*
 * Define IDs for the temporary RSA keys and DH params
 */

#define SSL_TKP_GEN        (0)
#define SSL_TKP_ALLOC      (1)
#define SSL_TKP_FREE       (2)

#define SSL_TKPIDX_RSA512  (0)
#define SSL_TKPIDX_RSA1024 (1)
#define SSL_TKPIDX_DH512   (2)
#define SSL_TKPIDX_DH1024  (3)
#define SSL_TKPIDX_MAX     (4)

/*
 * Define the SSL options
 */
#define SSL_OPT_NONE           (0)