freebsd-dev/include/apr_ldap_option.h

/* Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

/**
 * @file apr_ldap_option.h
 * @brief  APR-UTIL LDAP ldap_*_option() functions
 */
#ifndef APR_LDAP_OPTION_H
#define APR_LDAP_OPTION_H

/**
 * @addtogroup APR_Util_LDAP
 * @{
 */

#include "apr_ldap.h"

#if APR_HAS_LDAP

#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */

/*
 * The following defines handle the different TLS certificate
 * options available. If these options are missing, APR will try and
 * emulate support for this using the deprecated ldap_start_tls_s()
 * function.
 */
/**
 * Set SSL mode to one of APR_LDAP_NONE, APR_LDAP_SSL, APR_LDAP_STARTTLS
 * or APR_LDAP_STOPTLS.
 */
#define APR_LDAP_OPT_TLS 0x6fff
/**
 * Set zero or more CA certificates, client certificates or private
 * keys globally, or per connection (where supported).
 */
#define APR_LDAP_OPT_TLS_CERT 0x6ffe
/**
 * Set the LDAP library to no verify the server certificate.  This means
 * all servers are considered trusted.
 */
#define APR_LDAP_OPT_VERIFY_CERT 0x6ffd
/**
 * Set the LDAP library to indicate if referrals should be chased during
 * LDAP searches.
 */
#define APR_LDAP_OPT_REFERRALS 0x6ffc
/**
 * Set the LDAP library to indicate a maximum number of referral hops to
 * chase before giving up on the search.
 */
#define APR_LDAP_OPT_REFHOPLIMIT 0x6ffb

/**
 * Structures for the apr_set_option() cases
 */

/**
 * APR_LDAP_OPT_TLS_CERT
 *
 * This structure includes possible options to set certificates on
 * system initialisation. Different SDKs have different certificate
 * requirements, and to achieve this multiple certificates must be
 * specified at once passed as an (apr_array_header_t *).
 *
 * Netscape:
 * Needs the CA cert database (cert7.db), the client cert database (key3.db)
 * and the security module file (secmod.db) set at the system initialisation
 * time. Three types are supported: APR_LDAP_CERT7_DB, APR_LDAP_KEY3_DB and
 * APR_LDAP_SECMOD.
 *
 * To specify a client cert connection, a certificate nickname needs to be
 * provided with a type of APR_LDAP_CERT.
 * int ldapssl_enable_clientauth( LDAP *ld, char *keynickname,
 * char *keypasswd, char *certnickname );
 * keynickname is currently not used, and should be set to ""
 *
 * Novell:
 * Needs CA certificates and client certificates set at system initialisation
 * time. Three types are supported: APR_LDAP_CA*, APR_LDAP_CERT* and
 * APR_LDAP_KEY*.
 *
 * Certificates cannot be specified per connection.
 *
 * The functions used are:
 * ldapssl_add_trusted_cert(serverTrustedRoot, serverTrustedRootEncoding);
 * Clients certs and keys are set at system initialisation time with
 * int ldapssl_set_client_cert (
 *  void   *cert,
 *  int     type
 *  void   *password); 
 * type can be LDAPSSL_CERT_FILETYPE_B64 or LDAPSSL_CERT_FILETYPE_DER
 *  ldapssl_set_client_private_key(clientPrivateKey,
 *                                 clientPrivateKeyEncoding,
 *                                 clientPrivateKeyPassword);
 *
 * OpenSSL:
 * Needs one or more CA certificates to be set at system initialisation time
 * with a type of APR_LDAP_CA*.
 *
 * May have one or more client certificates set per connection with a type of
 * APR_LDAP_CERT*, and keys with APR_LDAP_KEY*.
 */
/** CA certificate type unknown */
#define APR_LDAP_CA_TYPE_UNKNOWN    0
/** binary DER encoded CA certificate */
#define APR_LDAP_CA_TYPE_DER        1
/** PEM encoded CA certificate */
#define APR_LDAP_CA_TYPE_BASE64     2
/** Netscape/Mozilla cert7.db CA certificate database */
#define APR_LDAP_CA_TYPE_CERT7_DB   3
/** Netscape/Mozilla secmod file */
#define APR_LDAP_CA_TYPE_SECMOD     4
/** Client certificate type unknown */
#define APR_LDAP_CERT_TYPE_UNKNOWN  5
/** binary DER encoded client certificate */
#define APR_LDAP_CERT_TYPE_DER      6
/** PEM encoded client certificate */
#define APR_LDAP_CERT_TYPE_BASE64   7
/** Netscape/Mozilla key3.db client certificate database */
#define APR_LDAP_CERT_TYPE_KEY3_DB  8
/** Netscape/Mozilla client certificate nickname */
#define APR_LDAP_CERT_TYPE_NICKNAME 9
/** Private key type unknown */
#define APR_LDAP_KEY_TYPE_UNKNOWN   10
/** binary DER encoded private key */
#define APR_LDAP_KEY_TYPE_DER       11
/** PEM encoded private key */
#define APR_LDAP_KEY_TYPE_BASE64    12
/** PKCS#12 encoded client certificate */
#define APR_LDAP_CERT_TYPE_PFX      13
/** PKCS#12 encoded private key */
#define APR_LDAP_KEY_TYPE_PFX       14
/** Openldap directory full of base64-encoded cert 
 * authorities with hashes in corresponding .0 directory
 */
#define APR_LDAP_CA_TYPE_CACERTDIR_BASE64 15


/**
 * Certificate structure.
 *
 * This structure is used to store certificate details. An array of
 * these structures is passed to apr_ldap_set_option() to set CA
 * and client certificates.
 * @param type Type of certificate APR_LDAP_*_TYPE_*
 * @param path Path, file or nickname of the certificate
 * @param password Optional password, can be NULL
 */
typedef struct apr_ldap_opt_tls_cert_t apr_ldap_opt_tls_cert_t;
struct apr_ldap_opt_tls_cert_t {
    int type;
    const char *path;
    const char *password;
};

/**
 * APR_LDAP_OPT_TLS
 *
 * This sets the SSL level on the LDAP handle.
 *
 * Netscape/Mozilla:
 * Supports SSL, but not STARTTLS
 * SSL is enabled by calling ldapssl_install_routines().
 *
 * Novell:
 * Supports SSL and STARTTLS.
 * SSL is enabled by calling ldapssl_install_routines(). Note that calling
 * other ldap functions before ldapssl_install_routines() may cause this
 * function to fail.
 * STARTTLS is enabled by calling ldapssl_start_tls_s() after calling
 * ldapssl_install_routines() (check this).
 *
 * OpenLDAP:
 * Supports SSL and supports STARTTLS, but none of this is documented:
 * http://www.openldap.org/lists/openldap-software/200409/msg00618.html
 * Documentation for both SSL support and STARTTLS has been deleted from
 * the OpenLDAP documentation and website.
 */

/** No encryption */
#define APR_LDAP_NONE 0
/** SSL encryption (ldaps://) */
#define APR_LDAP_SSL 1
/** TLS encryption (STARTTLS) */
#define APR_LDAP_STARTTLS 2
/** end TLS encryption (STOPTLS) */
#define APR_LDAP_STOPTLS 3

/**
 * APR LDAP get option function
 *
 * This function gets option values from a given LDAP session if
 * one was specified. It maps to the native ldap_get_option() function.
 * @param pool The pool to use
 * @param ldap The LDAP handle
 * @param option The LDAP_OPT_* option to return
 * @param outvalue The value returned (if any)
 * @param result_err The apr_ldap_err_t structure contained detailed results
 *        of the operation.
 */
APU_DECLARE_LDAP(int) apr_ldap_get_option(apr_pool_t *pool,
                                          LDAP *ldap,
                                          int option,
                                          void *outvalue,
                                          apr_ldap_err_t **result_err);

/**
 * APR LDAP set option function
 * 
 * This function sets option values to a given LDAP session if
 * one was specified. It maps to the native ldap_set_option() function.
 * 
 * Where an option is not supported by an LDAP toolkit, this function
 * will try and apply legacy functions to achieve the same effect,
 * depending on the platform.
 * @param pool The pool to use
 * @param ldap The LDAP handle
 * @param option The LDAP_OPT_* option to set
 * @param invalue The value to set
 * @param result_err The apr_ldap_err_t structure contained detailed results
 *        of the operation.
 */
APU_DECLARE_LDAP(int) apr_ldap_set_option(apr_pool_t *pool,
                                          LDAP *ldap,
                                          int option,
                                          const void *invalue,
                                          apr_ldap_err_t **result_err);

#ifdef __cplusplus
}
#endif

#endif /* APR_HAS_LDAP */

/** @} */

#endif /* APR_LDAP_OPTION_H */
Import apache apr-util 1.4.1 2013-06-18 01:59:55 +00:00			`/* Licensed to the Apache Software Foundation (ASF) under one or more`
			`* contributor license agreements. See the NOTICE file distributed with`
			`* this work for additional information regarding copyright ownership.`
			`* The ASF licenses this file to You under the Apache License, Version 2.0`
			`* (the "License"); you may not use this file except in compliance with`
			`* the License. You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`/**`
			`* @file apr_ldap_option.h`
			`* @brief APR-UTIL LDAP ldap_*_option() functions`
			`*/`
			`#ifndef APR_LDAP_OPTION_H`
			`#define APR_LDAP_OPTION_H`

			`/**`
			`* @addtogroup APR_Util_LDAP`
			`* @{`
			`*/`

			`#include "apr_ldap.h"`

			`#if APR_HAS_LDAP`

			`#ifdef __cplusplus`
			`extern "C" {`
			`#endif /* __cplusplus */`

			`/*`
			`* The following defines handle the different TLS certificate`
			`* options available. If these options are missing, APR will try and`
			`* emulate support for this using the deprecated ldap_start_tls_s()`
			`* function.`
			`*/`
			`/**`
			`* Set SSL mode to one of APR_LDAP_NONE, APR_LDAP_SSL, APR_LDAP_STARTTLS`
			`* or APR_LDAP_STOPTLS.`
			`*/`
			`#define APR_LDAP_OPT_TLS 0x6fff`
			`/**`
			`* Set zero or more CA certificates, client certificates or private`
			`* keys globally, or per connection (where supported).`
			`*/`
			`#define APR_LDAP_OPT_TLS_CERT 0x6ffe`
			`/**`
			`* Set the LDAP library to no verify the server certificate. This means`
			`* all servers are considered trusted.`
			`*/`
			`#define APR_LDAP_OPT_VERIFY_CERT 0x6ffd`
			`/**`
			`* Set the LDAP library to indicate if referrals should be chased during`
			`* LDAP searches.`
			`*/`
			`#define APR_LDAP_OPT_REFERRALS 0x6ffc`
			`/**`
			`* Set the LDAP library to indicate a maximum number of referral hops to`
			`* chase before giving up on the search.`
			`*/`
			`#define APR_LDAP_OPT_REFHOPLIMIT 0x6ffb`

			`/**`
			`* Structures for the apr_set_option() cases`
			`*/`

			`/**`
			`* APR_LDAP_OPT_TLS_CERT`
			`*`
			`* This structure includes possible options to set certificates on`
			`* system initialisation. Different SDKs have different certificate`
			`* requirements, and to achieve this multiple certificates must be`
			`* specified at once passed as an (apr_array_header_t *).`
			`*`
			`* Netscape:`
			`* Needs the CA cert database (cert7.db), the client cert database (key3.db)`
			`* and the security module file (secmod.db) set at the system initialisation`
			`* time. Three types are supported: APR_LDAP_CERT7_DB, APR_LDAP_KEY3_DB and`
			`* APR_LDAP_SECMOD.`
			`*`
			`* To specify a client cert connection, a certificate nickname needs to be`
			`* provided with a type of APR_LDAP_CERT.`
			`* int ldapssl_enable_clientauth( LDAP ld, char keynickname,`
			`* char keypasswd, char certnickname );`
			`* keynickname is currently not used, and should be set to ""`
			`*`
			`* Novell:`
			`* Needs CA certificates and client certificates set at system initialisation`
			`* time. Three types are supported: APR_LDAP_CA, APR_LDAP_CERT and`
			`* APR_LDAP_KEY*.`
			`*`
			`* Certificates cannot be specified per connection.`
			`*`
			`* The functions used are:`
			`* ldapssl_add_trusted_cert(serverTrustedRoot, serverTrustedRootEncoding);`
			`* Clients certs and keys are set at system initialisation time with`
			`* int ldapssl_set_client_cert (`
			`* void *cert,`
			`* int type`
			`* void *password);`
			`* type can be LDAPSSL_CERT_FILETYPE_B64 or LDAPSSL_CERT_FILETYPE_DER`
			`* ldapssl_set_client_private_key(clientPrivateKey,`
			`* clientPrivateKeyEncoding,`
			`* clientPrivateKeyPassword);`
			`*`
			`* OpenSSL:`
			`* Needs one or more CA certificates to be set at system initialisation time`
			`* with a type of APR_LDAP_CA*.`
			`*`
			`* May have one or more client certificates set per connection with a type of`
			`* APR_LDAP_CERT, and keys with APR_LDAP_KEY.`
			`*/`
			`/** CA certificate type unknown */`
			`#define APR_LDAP_CA_TYPE_UNKNOWN 0`
			`/** binary DER encoded CA certificate */`
			`#define APR_LDAP_CA_TYPE_DER 1`
			`/** PEM encoded CA certificate */`
			`#define APR_LDAP_CA_TYPE_BASE64 2`
			`/** Netscape/Mozilla cert7.db CA certificate database */`
			`#define APR_LDAP_CA_TYPE_CERT7_DB 3`
			`/** Netscape/Mozilla secmod file */`
			`#define APR_LDAP_CA_TYPE_SECMOD 4`
			`/** Client certificate type unknown */`
			`#define APR_LDAP_CERT_TYPE_UNKNOWN 5`
			`/** binary DER encoded client certificate */`
			`#define APR_LDAP_CERT_TYPE_DER 6`
			`/** PEM encoded client certificate */`
			`#define APR_LDAP_CERT_TYPE_BASE64 7`
			`/** Netscape/Mozilla key3.db client certificate database */`
			`#define APR_LDAP_CERT_TYPE_KEY3_DB 8`
			`/** Netscape/Mozilla client certificate nickname */`
			`#define APR_LDAP_CERT_TYPE_NICKNAME 9`
			`/** Private key type unknown */`
			`#define APR_LDAP_KEY_TYPE_UNKNOWN 10`
			`/** binary DER encoded private key */`
			`#define APR_LDAP_KEY_TYPE_DER 11`
			`/** PEM encoded private key */`
			`#define APR_LDAP_KEY_TYPE_BASE64 12`
			`/** PKCS#12 encoded client certificate */`
			`#define APR_LDAP_CERT_TYPE_PFX 13`
			`/** PKCS#12 encoded private key */`
			`#define APR_LDAP_KEY_TYPE_PFX 14`
			`/** Openldap directory full of base64-encoded cert`
			`* authorities with hashes in corresponding .0 directory`
			`*/`
			`#define APR_LDAP_CA_TYPE_CACERTDIR_BASE64 15`


			`/**`
			`* Certificate structure.`
			`*`
			`* This structure is used to store certificate details. An array of`
			`* these structures is passed to apr_ldap_set_option() to set CA`
			`* and client certificates.`
			`* @param type Type of certificate APR_LDAP__TYPE_`
			`* @param path Path, file or nickname of the certificate`
			`* @param password Optional password, can be NULL`
			`*/`
			`typedef struct apr_ldap_opt_tls_cert_t apr_ldap_opt_tls_cert_t;`
			`struct apr_ldap_opt_tls_cert_t {`
			`int type;`
			`const char *path;`
			`const char *password;`
			`};`

			`/**`
			`* APR_LDAP_OPT_TLS`
			`*`
			`* This sets the SSL level on the LDAP handle.`
			`*`
			`* Netscape/Mozilla:`
			`* Supports SSL, but not STARTTLS`
			`* SSL is enabled by calling ldapssl_install_routines().`
			`*`
			`* Novell:`
			`* Supports SSL and STARTTLS.`
			`* SSL is enabled by calling ldapssl_install_routines(). Note that calling`
			`* other ldap functions before ldapssl_install_routines() may cause this`
			`* function to fail.`
			`* STARTTLS is enabled by calling ldapssl_start_tls_s() after calling`
			`* ldapssl_install_routines() (check this).`
			`*`
			`* OpenLDAP:`
			`* Supports SSL and supports STARTTLS, but none of this is documented:`
			`* http://www.openldap.org/lists/openldap-software/200409/msg00618.html`
			`* Documentation for both SSL support and STARTTLS has been deleted from`
			`* the OpenLDAP documentation and website.`
			`*/`

			`/** No encryption */`
			`#define APR_LDAP_NONE 0`
			`/** SSL encryption (ldaps://) */`
			`#define APR_LDAP_SSL 1`
			`/** TLS encryption (STARTTLS) */`
			`#define APR_LDAP_STARTTLS 2`
			`/** end TLS encryption (STOPTLS) */`
			`#define APR_LDAP_STOPTLS 3`

			`/**`
			`* APR LDAP get option function`
			`*`
			`* This function gets option values from a given LDAP session if`
			`* one was specified. It maps to the native ldap_get_option() function.`
			`* @param pool The pool to use`
			`* @param ldap The LDAP handle`
			`* @param option The LDAP_OPT_* option to return`
			`* @param outvalue The value returned (if any)`
			`* @param result_err The apr_ldap_err_t structure contained detailed results`
			`* of the operation.`
			`*/`
			`APU_DECLARE_LDAP(int) apr_ldap_get_option(apr_pool_t *pool,`
			`LDAP *ldap,`
			`int option,`
			`void *outvalue,`
			`apr_ldap_err_t **result_err);`

			`/**`
			`* APR LDAP set option function`
			`*`
			`* This function sets option values to a given LDAP session if`
			`* one was specified. It maps to the native ldap_set_option() function.`
			`*`
			`* Where an option is not supported by an LDAP toolkit, this function`
			`* will try and apply legacy functions to achieve the same effect,`
			`* depending on the platform.`
			`* @param pool The pool to use`
			`* @param ldap The LDAP handle`
			`* @param option The LDAP_OPT_* option to set`
			`* @param invalue The value to set`
			`* @param result_err The apr_ldap_err_t structure contained detailed results`
			`* of the operation.`
			`*/`
			`APU_DECLARE_LDAP(int) apr_ldap_set_option(apr_pool_t *pool,`
			`LDAP *ldap,`
			`int option,`
			`const void *invalue,`
			`apr_ldap_err_t **result_err);`

			`#ifdef __cplusplus`
			`}`
			`#endif`

			`#endif /* APR_HAS_LDAP */`

			`/** @} */`

			`#endif /* APR_LDAP_OPTION_H */`