]>
Commit | Line | Data |
---|---|---|
fcfdf7f9 | 1 | /* |
f70aedc4 | 2 | * Copyright (C) 1996-2021 The Squid Software Foundation and contributors |
fcfdf7f9 AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
9 | #ifndef SQUID_SRC_SECURITY_FORWARD_H | |
10 | #define SQUID_SRC_SECURITY_FORWARD_H | |
11 | ||
92e3827b | 12 | #include "base/CbDataList.h" |
83b053a0 | 13 | #include "base/forward.h" |
fcfdf7f9 | 14 | #include "security/Context.h" |
63b8c4d7 | 15 | #include "security/Session.h" |
f97700a0 | 16 | |
51e09c08 AJ |
17 | #if USE_GNUTLS && HAVE_GNUTLS_ABSTRACT_H |
18 | #include <gnutls/abstract.h> | |
f97700a0 | 19 | #endif |
6b19d1f9 | 20 | #include <list> |
83b053a0 | 21 | #include <limits> |
24b30fdc EQ |
22 | #if USE_OPENSSL |
23 | #include "compat/openssl.h" | |
24 | #if HAVE_OPENSSL_BN_H | |
25 | #include <openssl/bn.h> | |
26 | #endif | |
27 | #if HAVE_OPENSSL_ERR_H | |
ea574635 AJ |
28 | #include <openssl/err.h> |
29 | #endif | |
24b30fdc EQ |
30 | #if HAVE_OPENSSL_RSA_H |
31 | #include <openssl/rsa.h> | |
32 | #endif | |
33 | #endif /* USE_OPENSSL */ | |
83f8d8f9 | 34 | #include <unordered_set> |
fcfdf7f9 | 35 | |
48c7e8cb AJ |
36 | #if USE_OPENSSL |
37 | // Macro to be used to define the C++ wrapper functor of the sk_*_pop_free | |
38 | // OpenSSL family of functions. The C++ functor is suffixed with the _free_wrapper | |
39 | // extension | |
40 | #define sk_dtor_wrapper(sk_object, argument_type, freefunction) \ | |
41 | struct sk_object ## _free_wrapper { \ | |
42 | void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \ | |
43 | } | |
44 | #endif /* USE_OPENSSL */ | |
45 | ||
b24e9ae7 AJ |
46 | /* flags a SSL connection can be configured with */ |
47 | #define SSL_FLAG_NO_DEFAULT_CA (1<<0) | |
48 | #define SSL_FLAG_DELAYED_AUTH (1<<1) | |
49 | #define SSL_FLAG_DONT_VERIFY_PEER (1<<2) | |
50 | #define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3) | |
51 | #define SSL_FLAG_NO_SESSION_REUSE (1<<4) | |
52 | #define SSL_FLAG_VERIFY_CRL (1<<5) | |
53 | #define SSL_FLAG_VERIFY_CRL_ALL (1<<6) | |
983fab6e | 54 | #define SSL_FLAG_CONDITIONAL_AUTH (1<<7) |
b24e9ae7 | 55 | |
fcfdf7f9 AJ |
56 | /// Network/connection security abstraction layer |
57 | namespace Security | |
58 | { | |
59 | ||
92e3827b AJ |
60 | class CertError; |
61 | /// Holds a list of X.509 certificate errors | |
62 | typedef CbDataList<Security::CertError> CertErrors; | |
63 | ||
83b053a0 CT |
64 | #if USE_OPENSSL |
65 | typedef X509 Certificate; | |
66 | #elif USE_GNUTLS | |
67 | typedef struct gnutls_x509_crt_int Certificate; | |
68 | #else | |
69 | typedef class {} Certificate; | |
70 | #endif | |
71 | ||
f97700a0 | 72 | #if USE_OPENSSL |
f439fbd2 | 73 | CtoCpp1(X509_free, X509 *); |
4103b0c1 | 74 | typedef Security::LockingPointer<X509, X509_free_cpp, HardFun<int, X509 *, X509_up_ref> > CertPointer; |
f97700a0 | 75 | #elif USE_GNUTLS |
51e09c08 | 76 | typedef std::shared_ptr<struct gnutls_x509_crt_int> CertPointer; |
f97700a0 | 77 | #else |
83b053a0 | 78 | typedef std::shared_ptr<Certificate> CertPointer; |
f97700a0 AJ |
79 | #endif |
80 | ||
6b19d1f9 | 81 | #if USE_OPENSSL |
f439fbd2 | 82 | CtoCpp1(X509_CRL_free, X509_CRL *); |
4103b0c1 | 83 | typedef Security::LockingPointer<X509_CRL, X509_CRL_free_cpp, HardFun<int, X509_CRL *, X509_CRL_up_ref> > CrlPointer; |
6b19d1f9 | 84 | #elif USE_GNUTLS |
f439fbd2 | 85 | CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t); |
4103b0c1 | 86 | typedef Security::LockingPointer<struct gnutls_x509_crl_int, gnutls_x509_crl_deinit> CrlPointer; |
6b19d1f9 AJ |
87 | #else |
88 | typedef void *CrlPointer; | |
89 | #endif | |
90 | ||
a34d1d2d CT |
91 | typedef std::list<Security::CertPointer> CertList; |
92 | ||
4b5ea8a6 CT |
93 | typedef std::list<Security::CrlPointer> CertRevokeList; |
94 | ||
104deb98 AJ |
95 | #if USE_OPENSSL |
96 | CtoCpp1(DH_free, DH *); | |
4103b0c1 | 97 | typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer; |
104deb98 AJ |
98 | #else |
99 | typedef void *DhePointer; | |
100 | #endif | |
101 | ||
a72b6e88 | 102 | class EncryptorAnswer; |
13cd7dee | 103 | |
83b053a0 | 104 | /// Squid-defined error code (<0), an error code returned by X.509 API, or zero |
13cd7dee AJ |
105 | typedef int ErrorCode; |
106 | ||
83b053a0 CT |
107 | /// TLS library-reported non-validation error |
108 | #if USE_OPENSSL | |
109 | /// the result of the first ERR_get_error(3SSL) call after a library call; | |
110 | /// `openssl errstr` expands these numbers into human-friendlier strings like | |
111 | /// `error:1408F09C:SSL routines:ssl3_get_record:http request` | |
112 | typedef unsigned long LibErrorCode; | |
113 | #elif USE_GNUTLS | |
114 | /// the result of an API function like gnutls_handshake() (e.g., | |
115 | /// GNUTLS_E_WARNING_ALERT_RECEIVED) | |
116 | typedef int LibErrorCode; | |
117 | #else | |
118 | /// should always be zero and virtually unused | |
119 | typedef int LibErrorCode; | |
120 | #endif | |
121 | ||
122 | /// converts numeric LibErrorCode into a human-friendlier string | |
123 | inline const char *ErrorString(const LibErrorCode code) { | |
ea574635 AJ |
124 | #if USE_OPENSSL |
125 | return ERR_error_string(code, nullptr); | |
126 | #elif USE_GNUTLS | |
127 | return gnutls_strerror(code); | |
128 | #else | |
129 | return "[no TLS library]"; | |
130 | #endif | |
131 | } | |
132 | ||
83f8d8f9 AJ |
133 | /// set of Squid defined TLS error codes |
134 | /// \note using std::unordered_set ensures values are unique, with fast lookup | |
135 | typedef std::unordered_set<Security::ErrorCode> Errors; | |
136 | ||
86f77270 AJ |
137 | namespace Io |
138 | { | |
ed5f5120 | 139 | enum Type { |
c96b5508 | 140 | #if USE_OPENSSL |
ed5f5120 SM |
141 | BIO_TO_CLIENT = 6000, |
142 | BIO_TO_SERVER | |
c96b5508 | 143 | #elif USE_GNUTLS |
ed5f5120 SM |
144 | // NP: this is odd looking but correct. |
145 | // 'to-client' means we are a server, and vice versa. | |
146 | BIO_TO_CLIENT = GNUTLS_SERVER, | |
147 | BIO_TO_SERVER = GNUTLS_CLIENT | |
087b94cb | 148 | #else |
ed5f5120 SM |
149 | BIO_TO_CLIENT = 6000, |
150 | BIO_TO_SERVER | |
087b94cb | 151 | #endif |
ed5f5120 | 152 | }; |
86f77270 AJ |
153 | |
154 | } // namespace Io | |
155 | ||
83b053a0 CT |
156 | // TODO: Either move to Security::Io or remove/restrict the Io namespace. |
157 | class IoResult; | |
158 | ||
d1d72d43 | 159 | class KeyData; |
353e09d8 | 160 | |
c96b5508 AJ |
161 | #if USE_OPENSSL |
162 | typedef long ParsedOptions; | |
163 | #elif USE_GNUTLS | |
c17dcc9a | 164 | typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions; |
353e09d8 | 165 | #else |
c96b5508 | 166 | class ParsedOptions {}; // we never parse/use TLS options in this case |
353e09d8 AJ |
167 | #endif |
168 | ||
983fab6e | 169 | /// bitmask representing configured http(s)_port `sslflags` |
170 | /// as well tls_outgoing_options `flags`, cache_peer `sslflags`, and | |
171 | /// icap_service `tls-flags` | |
172 | typedef long ParsedPortFlags; | |
173 | ||
a72b6e88 AJ |
174 | class PeerConnector; |
175 | class PeerOptions; | |
cf487124 AJ |
176 | |
177 | #if USE_OPENSSL | |
178 | CtoCpp1(EVP_PKEY_free, EVP_PKEY *) | |
179 | typedef Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref> > PrivateKeyPointer; | |
51e09c08 AJ |
180 | #elif USE_GNUTLS |
181 | typedef std::shared_ptr<struct gnutls_x509_privkey_int> PrivateKeyPointer; | |
cf487124 | 182 | #else |
51e09c08 | 183 | typedef std::shared_ptr<void> PrivateKeyPointer; |
cf487124 AJ |
184 | #endif |
185 | ||
a72b6e88 | 186 | class ServerOptions; |
d1d72d43 | 187 | |
83b053a0 CT |
188 | class ErrorDetail; |
189 | typedef RefCount<ErrorDetail> ErrorDetailPointer; | |
190 | ||
fcfdf7f9 AJ |
191 | } // namespace Security |
192 | ||
83b053a0 CT |
193 | /// Squid-specific TLS handling errors (a subset of ErrorCode) |
194 | /// These errors either distinguish high-level library calls/contexts or | |
195 | /// supplement official certificate validation errors to cover special cases. | |
196 | /// We use negative values, assuming that those official errors are positive. | |
197 | enum { | |
198 | SQUID_TLS_ERR_OFFSET = std::numeric_limits<int>::min(), | |
199 | ||
200 | /* TLS library calls/contexts other than validation (e.g., I/O) */ | |
201 | SQUID_TLS_ERR_ACCEPT, ///< failure to accept a connection from a TLS client | |
202 | SQUID_TLS_ERR_CONNECT, ///< failure to establish a connection with a TLS server | |
203 | ||
204 | /* certificate validation problems not covered by official errors */ | |
205 | SQUID_X509_V_ERR_CERT_CHANGE, | |
206 | SQUID_X509_V_ERR_DOMAIN_MISMATCH, | |
207 | SQUID_X509_V_ERR_INFINITE_VALIDATION, | |
208 | ||
209 | SQUID_TLS_ERR_END | |
210 | }; | |
211 | ||
fcfdf7f9 AJ |
212 | #endif /* SQUID_SRC_SECURITY_FORWARD_H */ |
213 |