[thirdparty/squid.git] / src / security / forward.h

/*
 * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#ifndef SQUID_SRC_SECURITY_FORWARD_H
#define SQUID_SRC_SECURITY_FORWARD_H

#include "base/CbDataList.h"
#include "base/forward.h"
#include "security/Context.h"
#include "security/Session.h"

#if USE_GNUTLS && HAVE_GNUTLS_ABSTRACT_H
#include <gnutls/abstract.h>
#endif
#include <list>
#include <limits>
#if USE_OPENSSL
#include "compat/openssl.h"
#if HAVE_OPENSSL_BN_H
#include <openssl/bn.h>
#endif
#if HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
#endif
#if HAVE_OPENSSL_RSA_H
#include <openssl/rsa.h>
#endif
#endif /* USE_OPENSSL */
#include <unordered_set>

#if USE_OPENSSL
// Macro to be used to define the C++ wrapper functor of the sk_*_pop_free
// OpenSSL family of functions. The C++ functor is suffixed with the _free_wrapper
// extension
#define sk_dtor_wrapper(sk_object, argument_type, freefunction) \
        struct sk_object ## _free_wrapper { \
            void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \
        }
#endif /* USE_OPENSSL */

/* flags a SSL connection can be configured with */
#define SSL_FLAG_NO_DEFAULT_CA      (1<<0)
#define SSL_FLAG_DELAYED_AUTH       (1<<1)
#define SSL_FLAG_DONT_VERIFY_PEER   (1<<2)
#define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3)
#define SSL_FLAG_NO_SESSION_REUSE   (1<<4)
#define SSL_FLAG_VERIFY_CRL         (1<<5)
#define SSL_FLAG_VERIFY_CRL_ALL     (1<<6)
#define SSL_FLAG_CONDITIONAL_AUTH   (1<<7)

/// Network/connection security abstraction layer
namespace Security
{

class CertError;
/// Holds a list of X.509 certificate errors
typedef CbDataList<Security::CertError> CertErrors;

#if USE_OPENSSL
typedef X509 Certificate;
#elif USE_GNUTLS
typedef struct gnutls_x509_crt_int Certificate;
#else
typedef class {} Certificate;
#endif

#if USE_OPENSSL
CtoCpp1(X509_free, X509 *);
typedef Security::LockingPointer<X509, X509_free_cpp, HardFun<int, X509 *, X509_up_ref> > CertPointer;
#elif USE_GNUTLS
typedef std::shared_ptr<struct gnutls_x509_crt_int> CertPointer;
#else
typedef std::shared_ptr<Certificate> CertPointer;
#endif

#if USE_OPENSSL
CtoCpp1(X509_CRL_free, X509_CRL *);
typedef Security::LockingPointer<X509_CRL, X509_CRL_free_cpp, HardFun<int, X509_CRL *, X509_CRL_up_ref> > CrlPointer;
#elif USE_GNUTLS
CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t);
typedef Security::LockingPointer<struct gnutls_x509_crl_int, gnutls_x509_crl_deinit> CrlPointer;
#else
typedef void *CrlPointer;
#endif

typedef std::list<Security::CertPointer> CertList;

typedef std::list<Security::CrlPointer> CertRevokeList;

#if USE_OPENSSL
CtoCpp1(DH_free, DH *);
typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer;
#else
typedef void *DhePointer;
#endif

class EncryptorAnswer;

/// Squid-defined error code (<0), an error code returned by X.509 API, or zero
typedef int ErrorCode;

/// TLS library-reported non-validation error
#if USE_OPENSSL
/// the result of the first ERR_get_error(3SSL) call after a library call;
/// `openssl errstr` expands these numbers into human-friendlier strings like
/// `error:1408F09C:SSL routines:ssl3_get_record:http request`
typedef unsigned long LibErrorCode;
#elif USE_GNUTLS
/// the result of an API function like gnutls_handshake() (e.g.,
/// GNUTLS_E_WARNING_ALERT_RECEIVED)
typedef int LibErrorCode;
#else
/// should always be zero and virtually unused
typedef int LibErrorCode;
#endif

/// converts numeric LibErrorCode into a human-friendlier string
inline const char *ErrorString(const LibErrorCode code) {
#if USE_OPENSSL
    return ERR_error_string(code, nullptr);
#elif USE_GNUTLS
    return gnutls_strerror(code);
#else
    return "[no TLS library]";
#endif
}

/// set of Squid defined TLS error codes
/// \note using std::unordered_set ensures values are unique, with fast lookup
typedef std::unordered_set<Security::ErrorCode> Errors;

namespace Io
{
enum Type {
#if USE_OPENSSL
    BIO_TO_CLIENT = 6000,
    BIO_TO_SERVER
#elif USE_GNUTLS
    // NP: this is odd looking but correct.
    // 'to-client' means we are a server, and vice versa.
    BIO_TO_CLIENT = GNUTLS_SERVER,
    BIO_TO_SERVER = GNUTLS_CLIENT
#else
    BIO_TO_CLIENT = 6000,
    BIO_TO_SERVER
#endif
};

} // namespace Io

// TODO: Either move to Security::Io or remove/restrict the Io namespace.
class IoResult;

class KeyData;

#if USE_OPENSSL
typedef long ParsedOptions;
#elif USE_GNUTLS
typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions;
#else
class ParsedOptions {}; // we never parse/use TLS options in this case
#endif

/// bitmask representing configured http(s)_port `sslflags`
/// as well tls_outgoing_options `flags`, cache_peer `sslflags`, and
/// icap_service `tls-flags`
typedef long ParsedPortFlags;

class PeerConnector;
class PeerOptions;

#if USE_OPENSSL
CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
typedef Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref> > PrivateKeyPointer;
#elif USE_GNUTLS
typedef std::shared_ptr<struct gnutls_x509_privkey_int> PrivateKeyPointer;
#else
typedef std::shared_ptr<void> PrivateKeyPointer;
#endif

class ServerOptions;

class ErrorDetail;
typedef RefCount<ErrorDetail> ErrorDetailPointer;

} // namespace Security

/// Squid-specific TLS handling errors (a subset of ErrorCode)
/// These errors either distinguish high-level library calls/contexts or
/// supplement official certificate validation errors to cover special cases.
/// We use negative values, assuming that those official errors are positive.
enum {
    SQUID_TLS_ERR_OFFSET = std::numeric_limits<int>::min(),

    /* TLS library calls/contexts other than validation (e.g., I/O) */
    SQUID_TLS_ERR_ACCEPT, ///< failure to accept a connection from a TLS client
    SQUID_TLS_ERR_CONNECT, ///< failure to establish a connection with a TLS server

    /* certificate validation problems not covered by official errors */
    SQUID_X509_V_ERR_CERT_CHANGE,
    SQUID_X509_V_ERR_DOMAIN_MISMATCH,
    SQUID_X509_V_ERR_INFINITE_VALIDATION,

    SQUID_TLS_ERR_END
};

#endif /* SQUID_SRC_SECURITY_FORWARD_H */
Commit	Line	Data
fcfdf7f9	1	/*
f70aedc4	2	* Copyright (C) 1996-2021 The Squid Software Foundation and contributors
fcfdf7f9 AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
	9	#ifndef SQUID_SRC_SECURITY_FORWARD_H
	10	#define SQUID_SRC_SECURITY_FORWARD_H
	11
92e3827b	12	#include "base/CbDataList.h"
83b053a0	13	#include "base/forward.h"
fcfdf7f9	14	#include "security/Context.h"
63b8c4d7	15	#include "security/Session.h"
f97700a0	16
51e09c08 AJ	17	#if USE_GNUTLS && HAVE_GNUTLS_ABSTRACT_H
51e09c08 AJ	18	#include <gnutls/abstract.h>
f97700a0	19	#endif
6b19d1f9	20	#include <list>
83b053a0	21	#include <limits>
24b30fdc EQ	22	#if USE_OPENSSL
	23	#include "compat/openssl.h"
	24	#if HAVE_OPENSSL_BN_H
	25	#include <openssl/bn.h>
	26	#endif
	27	#if HAVE_OPENSSL_ERR_H
ea574635 AJ	28	#include <openssl/err.h>
ea574635 AJ	29	#endif
24b30fdc EQ	30	#if HAVE_OPENSSL_RSA_H
	31	#include <openssl/rsa.h>
	32	#endif
	33	#endif /* USE_OPENSSL */
83f8d8f9	34	#include <unordered_set>
fcfdf7f9	35
48c7e8cb AJ	36	#if USE_OPENSSL
	37	// Macro to be used to define the C++ wrapper functor of the sk_*_pop_free
	38	// OpenSSL family of functions. The C++ functor is suffixed with the _free_wrapper
	39	// extension
	40	#define sk_dtor_wrapper(sk_object, argument_type, freefunction) \
	41	struct sk_object ## _free_wrapper { \
	42	void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \
	43	}
	44	#endif /* USE_OPENSSL */
	45
b24e9ae7 AJ	46	/* flags a SSL connection can be configured with */
	47	#define SSL_FLAG_NO_DEFAULT_CA (1<<0)
	48	#define SSL_FLAG_DELAYED_AUTH (1<<1)
	49	#define SSL_FLAG_DONT_VERIFY_PEER (1<<2)
	50	#define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3)
	51	#define SSL_FLAG_NO_SESSION_REUSE (1<<4)
	52	#define SSL_FLAG_VERIFY_CRL (1<<5)
	53	#define SSL_FLAG_VERIFY_CRL_ALL (1<<6)
983fab6e	54	#define SSL_FLAG_CONDITIONAL_AUTH (1<<7)
b24e9ae7	55
fcfdf7f9 AJ	56	/// Network/connection security abstraction layer
	57	namespace Security
	58	{
	59
92e3827b AJ	60	class CertError;
	61	/// Holds a list of X.509 certificate errors
	62	typedef CbDataList<Security::CertError> CertErrors;
	63
83b053a0 CT	64	#if USE_OPENSSL
	65	typedef X509 Certificate;
	66	#elif USE_GNUTLS
	67	typedef struct gnutls_x509_crt_int Certificate;
	68	#else
	69	typedef class {} Certificate;
	70	#endif
	71
f97700a0	72	#if USE_OPENSSL
f439fbd2	73	CtoCpp1(X509_free, X509 *);
4103b0c1	74	typedef Security::LockingPointer<X509, X509_free_cpp, HardFun<int, X509 *, X509_up_ref> > CertPointer;
f97700a0	75	#elif USE_GNUTLS
51e09c08	76	typedef std::shared_ptr<struct gnutls_x509_crt_int> CertPointer;
f97700a0	77	#else
83b053a0	78	typedef std::shared_ptr<Certificate> CertPointer;
f97700a0 AJ	79	#endif
f97700a0 AJ	80
6b19d1f9	81	#if USE_OPENSSL
f439fbd2	82	CtoCpp1(X509_CRL_free, X509_CRL *);
4103b0c1	83	typedef Security::LockingPointer<X509_CRL, X509_CRL_free_cpp, HardFun<int, X509_CRL *, X509_CRL_up_ref> > CrlPointer;
6b19d1f9	84	#elif USE_GNUTLS
f439fbd2	85	CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t);
4103b0c1	86	typedef Security::LockingPointer<struct gnutls_x509_crl_int, gnutls_x509_crl_deinit> CrlPointer;
6b19d1f9 AJ	87	#else
	88	typedef void *CrlPointer;
	89	#endif
	90
a34d1d2d CT	91	typedef std::list<Security::CertPointer> CertList;
a34d1d2d CT	92
4b5ea8a6 CT	93	typedef std::list<Security::CrlPointer> CertRevokeList;
4b5ea8a6 CT	94
104deb98 AJ	95	#if USE_OPENSSL
104deb98 AJ	96	CtoCpp1(DH_free, DH *);
4103b0c1	97	typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer;
104deb98 AJ	98	#else
	99	typedef void *DhePointer;
	100	#endif
	101
a72b6e88	102	class EncryptorAnswer;
13cd7dee	103
83b053a0	104	/// Squid-defined error code (<0), an error code returned by X.509 API, or zero
13cd7dee AJ	105	typedef int ErrorCode;
13cd7dee AJ	106
83b053a0 CT	107	/// TLS library-reported non-validation error
	108	#if USE_OPENSSL
	109	/// the result of the first ERR_get_error(3SSL) call after a library call;
	110	/// `openssl errstr` expands these numbers into human-friendlier strings like
	111	/// `error:1408F09C:SSL routines:ssl3_get_record:http request`
	112	typedef unsigned long LibErrorCode;
	113	#elif USE_GNUTLS
	114	/// the result of an API function like gnutls_handshake() (e.g.,
	115	/// GNUTLS_E_WARNING_ALERT_RECEIVED)
	116	typedef int LibErrorCode;
	117	#else
	118	/// should always be zero and virtually unused
	119	typedef int LibErrorCode;
	120	#endif
	121
	122	/// converts numeric LibErrorCode into a human-friendlier string
	123	inline const char *ErrorString(const LibErrorCode code) {
ea574635 AJ	124	#if USE_OPENSSL
	125	return ERR_error_string(code, nullptr);
	126	#elif USE_GNUTLS
	127	return gnutls_strerror(code);
	128	#else
	129	return "[no TLS library]";
	130	#endif
	131	}
	132
83f8d8f9 AJ	133	/// set of Squid defined TLS error codes
	134	/// \note using std::unordered_set ensures values are unique, with fast lookup
	135	typedef std::unordered_set<Security::ErrorCode> Errors;
	136
86f77270 AJ	137	namespace Io
86f77270 AJ	138	{
ed5f5120	139	enum Type {
c96b5508	140	#if USE_OPENSSL
ed5f5120 SM	141	BIO_TO_CLIENT = 6000,
ed5f5120 SM	142	BIO_TO_SERVER
c96b5508	143	#elif USE_GNUTLS
ed5f5120 SM	144	// NP: this is odd looking but correct.
	145	// 'to-client' means we are a server, and vice versa.
	146	BIO_TO_CLIENT = GNUTLS_SERVER,
	147	BIO_TO_SERVER = GNUTLS_CLIENT
087b94cb	148	#else
ed5f5120 SM	149	BIO_TO_CLIENT = 6000,
ed5f5120 SM	150	BIO_TO_SERVER
087b94cb	151	#endif
ed5f5120	152	};
86f77270 AJ	153
	154	} // namespace Io
	155
83b053a0 CT	156	// TODO: Either move to Security::Io or remove/restrict the Io namespace.
	157	class IoResult;
	158
d1d72d43	159	class KeyData;
353e09d8	160
c96b5508 AJ	161	#if USE_OPENSSL
	162	typedef long ParsedOptions;
	163	#elif USE_GNUTLS
c17dcc9a	164	typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions;
353e09d8	165	#else
c96b5508	166	class ParsedOptions {}; // we never parse/use TLS options in this case
353e09d8 AJ	167	#endif
353e09d8 AJ	168
983fab6e	169	/// bitmask representing configured http(s)_port `sslflags`
	170	/// as well tls_outgoing_options `flags`, cache_peer `sslflags`, and
	171	/// icap_service `tls-flags`
	172	typedef long ParsedPortFlags;
	173
a72b6e88 AJ	174	class PeerConnector;
a72b6e88 AJ	175	class PeerOptions;
cf487124 AJ	176
	177	#if USE_OPENSSL
	178	CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
	179	typedef Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref> > PrivateKeyPointer;
51e09c08 AJ	180	#elif USE_GNUTLS
51e09c08 AJ	181	typedef std::shared_ptr<struct gnutls_x509_privkey_int> PrivateKeyPointer;
cf487124	182	#else
51e09c08	183	typedef std::shared_ptr<void> PrivateKeyPointer;
cf487124 AJ	184	#endif
cf487124 AJ	185
a72b6e88	186	class ServerOptions;
d1d72d43	187
83b053a0 CT	188	class ErrorDetail;
	189	typedef RefCount<ErrorDetail> ErrorDetailPointer;
	190
fcfdf7f9 AJ	191	} // namespace Security
fcfdf7f9 AJ	192
83b053a0 CT	193	/// Squid-specific TLS handling errors (a subset of ErrorCode)
	194	/// These errors either distinguish high-level library calls/contexts or
	195	/// supplement official certificate validation errors to cover special cases.
	196	/// We use negative values, assuming that those official errors are positive.
	197	enum {
	198	SQUID_TLS_ERR_OFFSET = std::numeric_limits<int>::min(),
	199
	200	/* TLS library calls/contexts other than validation (e.g., I/O) */
	201	SQUID_TLS_ERR_ACCEPT, ///< failure to accept a connection from a TLS client
	202	SQUID_TLS_ERR_CONNECT, ///< failure to establish a connection with a TLS server
	203
	204	/* certificate validation problems not covered by official errors */
	205	SQUID_X509_V_ERR_CERT_CHANGE,
	206	SQUID_X509_V_ERR_DOMAIN_MISMATCH,
	207	SQUID_X509_V_ERR_INFINITE_VALIDATION,
	208
	209	SQUID_TLS_ERR_END
	210	};
	211
fcfdf7f9 AJ	212	#endif /* SQUID_SRC_SECURITY_FORWARD_H */
fcfdf7f9 AJ	213