/usr/include/zorp/proxyssl.h is in libzorp-dev 3.9.5-4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 | /***************************************************************************
*
* Copyright (c) 2009, 2010 BalaBit IT Ltd, Budapest, Hungary
* All rights reserved.
*
* Author: Laszlo Attila Toth
*
***************************************************************************/
#ifndef ZORP_PROXY_SSL_H_INCLUDED
#define ZORP_PROXY_SSL_H_INCLUDED
#include <zorp/proxycommon.h>
#include <zorp/ssl.h>
typedef enum
{
PROXY_SSL_VERIFY_NONE = 0,
PROXY_SSL_VERIFY_OPTIONAL_UNTRUSTED = 1,
#define PROXY_SSL_VERIFY_OPTIONAL PROXY_SSL_VERIFY_OPTIONAL_UNTRUSTED
PROXY_SSL_VERIFY_OPTIONAL_TRUSTED = 2,
PROXY_SSL_VERIFY_REQUIRED_UNTRUSTED = 3,
PROXY_SSL_VERIFY_REQUIRED_TRUSTED = 4,
} proxy_ssl_verify_type;
#define PROXY_SSL_HS_CLIENT_SERVER 0
#define PROXY_SSL_HS_SERVER_CLIENT 1
#define PROXY_SSL_HS_POLICY ZV_POLICY
#define PROXY_SSL_HS_ACCEPT ZV_ACCEPT
#define PROXY_SSL_HS_VERIFIED 10
typedef enum
{
PROXY_SSL_SEC_NONE = 0,
PROXY_SSL_SEC_FORCE_SSL = 1,
PROXY_SSL_SEC_ACCEPT_STARTTLS = 2,
PROXY_SSL_SEC_FORWARD_STARTTLS = 3,
} proxy_ssl_security_type;
typedef struct _ZProxySsl {
ZPolicyDict *dict;
ZPolicyObj *ssl_struct;
proxy_ssl_security_type security[EP_MAX];
GString *ssl_method[EP_MAX];
GString *ssl_cipher[EP_MAX];
ZSSLSession *ssl_sessions[EP_MAX];
ZPolicyObj *server_setup_key_cb, *server_setup_ca_list_cb, *server_setup_crl_list_cb, *server_verify_cert_cb;
ZPolicyObj *client_setup_key_cb, *client_setup_ca_list_cb, *client_setup_crl_list_cb, *client_verify_cert_cb;
EVP_PKEY *local_privkey[EP_MAX];
X509 *peer_cert[EP_MAX];
X509 *local_cert[EP_MAX];
STACK_OF(X509) *local_ca_list[EP_MAX];
STACK_OF(X509_NAME) *server_peer_ca_list;
STACK_OF(X509_CRL) *local_crl_list[EP_MAX];
GString *verify_ca_directory[EP_MAX];
GString *verify_crl_directory[EP_MAX];
gboolean force_connect_at_handshake;
gint handshake_timeout;
gint handshake_seq;
gboolean handshake_pending[EP_MAX];
GHashTable *handshake_hash[EP_MAX];
proxy_ssl_verify_type verify_type[EP_MAX];
int verify_depth[EP_MAX];
gboolean disable_proto_sslv2[EP_MAX];
gboolean disable_proto_sslv3[EP_MAX];
gboolean disable_proto_tlsv1[EP_MAX];
gboolean permit_invalid_certificates;
gboolean permit_missing_crl;
gboolean server_check_subject;
GString *local_privkey_passphrase[EP_MAX];
/* List of handshake objects. Unfortunately OpenSSL callbacks cannot be
* handed a destroy_notify callback so we generally cannot use
* refcounting to manage the lifetime of handshake objects.
*
* Instead, we do store all handshake objects in this linked list in the
* associated proxy and make sure we delete these when we can guarantee that
* the handshake is no longer needed (referenced).
*
* Right now this means we delete handshake objects only from the proxy
* destroy method.
*/
GList *handshakes;
} ZProxySsl;
struct _ZProxySSLHandshake;
typedef void (*ZProxySSLCallbackFunc)(struct _ZProxySSLHandshake *hs, gpointer user_data);
typedef struct _ZProxySSLHandshake {
ZSSLSession *session;
ZStream *stream;
ZProxy *proxy;
gint side;
/* result */
gint ssl_err;
gchar ssl_err_str[512];
/* internals */
GSource *timeout;
ZStreamContext stream_context;
ZProxySSLCallbackFunc completion_cb;
gpointer completion_user_data;
GDestroyNotify completion_user_data_notify;
SSL_CTX *ssl_context;
} ZProxySSLHandshake;
ZProxySSLHandshake *z_proxy_ssl_handshake_new(ZProxy *proxy, ZStream *stream, gint side);
void z_proxy_ssl_config_defaults(ZProxy *self);
void z_proxy_ssl_register_vars(ZProxy *self);
void z_proxy_ssl_free_vars(ZProxy *self);
gboolean z_proxy_ssl_perform_handshake(ZProxySSLHandshake *handshake);
gboolean z_proxy_ssl_init_stream(ZProxy *self, gint side);
gboolean z_proxy_ssl_init_stream_nonblocking(ZProxy *self, gint side);
gboolean z_proxy_ssl_request_handshake(ZProxy *self, gint side, gboolean forced);
void z_proxy_ssl_clear_session(ZProxy *self, gint side);
void z_proxy_ssl_set_force_connect_at_handshake(ZProxy *self, gboolean val);
#endif
|