]>
Commit | Line | Data |
---|---|---|
95d2589c CT |
1 | /* |
2 | * 2009/01/17 | |
3 | */ | |
4 | ||
5 | #ifndef SQUID_SSL_GADGETS_H | |
6 | #define SQUID_SSL_GADGETS_H | |
7 | ||
8 | #include "base/TidyPointer.h" | |
fb2178bb | 9 | #include "ssl/crtd_message.h" |
95d2589c CT |
10 | |
11 | #if HAVE_OPENSSL_SSL_H | |
12 | #include <openssl/ssl.h> | |
13 | #endif | |
14 | #if HAVE_OPENSSL_TXT_DB_H | |
15 | #include <openssl/txt_db.h> | |
16 | #endif | |
17 | #if HAVE_STRING | |
18 | #include <string> | |
19 | #endif | |
20 | ||
21 | namespace Ssl | |
22 | { | |
23 | /** | |
24 | \defgroup SslCrtdSslAPI ssl_crtd SSL api. | |
25 | These functions must not depend on Squid runtime code such as debug() | |
26 | because they are used by ssl_crtd. | |
27 | */ | |
28 | ||
aebe6888 CT |
29 | /** |
30 | \ingroup SslCrtdSslAPI | |
31 | * Add SSL locking (a.k.a. reference counting) to TidyPointer | |
32 | */ | |
33 | template <typename T, void (*DeAllocator)(T *t), int lock> | |
34 | class LockingPointer: public TidyPointer<T, DeAllocator> | |
35 | { | |
36 | public: | |
37 | typedef TidyPointer<T, DeAllocator> Parent; | |
38 | ||
39 | LockingPointer(T *t = NULL): Parent(t) { | |
40 | } | |
41 | ||
42 | void resetAndLock(T *t) { | |
43 | if (t != this->get()) { | |
fb165657 | 44 | this->reset(t); |
aebe6888 CT |
45 | if (t) |
46 | CRYPTO_add(&t->references, 1, lock); | |
47 | } | |
48 | } | |
49 | }; | |
50 | ||
3a665e67 | 51 | // Macro to be used to define the C++ equivalent function of an extern "C" |
14851ec2 CT |
52 | // function. The C++ function suffixed with the _cpp extension |
53 | #define CtoCpp1(function, argument) \ | |
54 | extern "C++" inline void function ## _cpp(argument a) { \ | |
55 | function(a); \ | |
56 | } | |
95d2589c CT |
57 | |
58 | /** | |
59 | \ingroup SslCrtdSslAPI | |
60 | * TidyPointer typedefs for common SSL objects | |
61 | */ | |
14851ec2 | 62 | CtoCpp1(X509_free, X509 *) |
aebe6888 | 63 | typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> X509_Pointer; |
14851ec2 | 64 | |
a594dbfa CT |
65 | CtoCpp1(sk_X509_free, STACK_OF(X509) *) |
66 | typedef TidyPointer<STACK_OF(X509), sk_X509_free_cpp> X509_STACK_Pointer; | |
67 | ||
14851ec2 | 68 | CtoCpp1(EVP_PKEY_free, EVP_PKEY *) |
aebe6888 | 69 | typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer; |
14851ec2 CT |
70 | |
71 | CtoCpp1(BN_free, BIGNUM *) | |
72 | typedef TidyPointer<BIGNUM, BN_free_cpp> BIGNUM_Pointer; | |
73 | ||
74 | CtoCpp1(BIO_free, BIO *) | |
75 | typedef TidyPointer<BIO, BIO_free_cpp> BIO_Pointer; | |
76 | ||
77 | CtoCpp1(ASN1_INTEGER_free, ASN1_INTEGER *) | |
78 | typedef TidyPointer<ASN1_INTEGER, ASN1_INTEGER_free_cpp> ASN1_INT_Pointer; | |
79 | ||
80 | CtoCpp1(TXT_DB_free, TXT_DB *) | |
81 | typedef TidyPointer<TXT_DB, TXT_DB_free_cpp> TXT_DB_Pointer; | |
82 | ||
83 | CtoCpp1(X509_NAME_free, X509_NAME *) | |
84 | typedef TidyPointer<X509_NAME, X509_NAME_free_cpp> X509_NAME_Pointer; | |
85 | ||
86 | CtoCpp1(RSA_free, RSA *) | |
87 | typedef TidyPointer<RSA, RSA_free_cpp> RSA_Pointer; | |
88 | ||
89 | CtoCpp1(X509_REQ_free, X509_REQ *) | |
90 | typedef TidyPointer<X509_REQ, X509_REQ_free_cpp> X509_REQ_Pointer; | |
91 | ||
92 | CtoCpp1(SSL_CTX_free, SSL_CTX *) | |
93 | typedef TidyPointer<SSL_CTX, SSL_CTX_free_cpp> SSL_CTX_Pointer; | |
94 | ||
95 | CtoCpp1(SSL_free, SSL *) | |
96 | typedef TidyPointer<SSL, SSL_free_cpp> SSL_Pointer; | |
95d2589c | 97 | |
95d2589c CT |
98 | /** |
99 | \ingroup SslCrtdSslAPI | |
100 | * Create 1024 bits rsa key. | |
101 | */ | |
102 | EVP_PKEY * createSslPrivateKey(); | |
103 | ||
95d2589c CT |
104 | /** |
105 | \ingroup SslCrtdSslAPI | |
106 | * Write private key and SSL certificate to memory. | |
107 | */ | |
108 | bool writeCertAndPrivateKeyToMemory(X509_Pointer const & cert, EVP_PKEY_Pointer const & pkey, std::string & bufferToWrite); | |
109 | ||
9a90aace CT |
110 | /** |
111 | \ingroup SslCrtdSslAPI | |
112 | * Append SSL certificate to bufferToWrite. | |
113 | */ | |
114 | bool appendCertToMemory(X509_Pointer const & cert, std::string & bufferToWrite); | |
115 | ||
95d2589c CT |
116 | /** |
117 | \ingroup SslCrtdSslAPI | |
118 | * Write private key and SSL certificate to file. | |
119 | */ | |
120 | bool writeCertAndPrivateKeyToFile(X509_Pointer const & cert, EVP_PKEY_Pointer const & pkey, char const * filename); | |
121 | ||
122 | /** | |
123 | \ingroup SslCrtdSslAPI | |
124 | * Write private key and SSL certificate to memory. | |
125 | */ | |
126 | bool readCertAndPrivateKeyFromMemory(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, char const * bufferToRead); | |
127 | ||
9a90aace CT |
128 | /** |
129 | \ingroup SslCrtdSslAPI | |
130 | * Read SSL certificate from memory. | |
131 | */ | |
132 | bool readCertFromMemory(X509_Pointer & cert, char const * bufferToRead); | |
133 | ||
aebe6888 CT |
134 | /** |
135 | \ingroup SslCrtdSslAPI | |
136 | * Supported certificate signing algorithms | |
137 | */ | |
138 | enum CertSignAlgorithm {algSignTrusted = 0, algSignUntrusted, algSignSelf, algSignEnd}; | |
139 | ||
95d2589c CT |
140 | /** |
141 | \ingroup SslCrtdSslAPI | |
aebe6888 | 142 | * Short names for certificate signing algorithms |
95d2589c | 143 | */ |
aebe6888 CT |
144 | |
145 | extern const char *CertSignAlgorithmStr[]; | |
95d2589c CT |
146 | |
147 | /** | |
148 | \ingroup SslCrtdSslAPI | |
aebe6888 CT |
149 | * Return the short name of the signing algorithm "sg" |
150 | */ | |
151 | inline const char *certSignAlgorithm(int sg) | |
152 | { | |
153 | if (sg >=0 && sg < Ssl::algSignEnd) | |
154 | return Ssl::CertSignAlgorithmStr[sg]; | |
155 | ||
156 | return NULL; | |
157 | } | |
158 | ||
159 | /** | |
160 | \ingroup SslCrtdSslAPI | |
161 | * Return the id of the signing algorithm "sg" | |
95d2589c | 162 | */ |
aebe6888 CT |
163 | inline CertSignAlgorithm certSignAlgorithmId(const char *sg) |
164 | { | |
165 | for (int i = 0; i < algSignEnd && Ssl::CertSignAlgorithmStr[i] != NULL; i++) | |
166 | if (strcmp(Ssl::CertSignAlgorithmStr[i], sg) == 0) | |
167 | return (CertSignAlgorithm)i; | |
168 | ||
169 | return algSignEnd; | |
170 | } | |
95d2589c | 171 | |
fb2178bb CT |
172 | /** |
173 | \ingroup SslCrtdSslAPI | |
174 | * Supported certificate adaptation algorithms | |
175 | */ | |
aebe6888 | 176 | enum CertAdaptAlgorithm {algSetValidAfter = 0, algSetValidBefore, algSetCommonName, algSetEnd}; |
fb2178bb CT |
177 | |
178 | /** | |
179 | \ingroup SslCrtdSslAPI | |
180 | * Short names for certificate adaptation algorithms | |
181 | */ | |
182 | extern const char *CertAdaptAlgorithmStr[]; | |
183 | ||
184 | /** | |
185 | \ingroup SslCrtdSslAPI | |
186 | * Return the short name of the adaptation algorithm "alg" | |
187 | */ | |
188 | inline const char *sslCertAdaptAlgoritm(int alg) | |
189 | { | |
aebe6888 | 190 | if (alg >=0 && alg < Ssl::algSetEnd) |
fb2178bb CT |
191 | return Ssl::CertAdaptAlgorithmStr[alg]; |
192 | ||
193 | return NULL; | |
194 | } | |
195 | ||
aebe6888 CT |
196 | /** |
197 | \ingroup SslCrtdSslAPI | |
198 | * Simple struct to pass certificate generation parameters to generateSslCertificate function. | |
199 | */ | |
87f237a9 A |
200 | class CertificateProperties |
201 | { | |
aebe6888 CT |
202 | public: |
203 | CertificateProperties(); | |
204 | X509_Pointer mimicCert; ///< Certificate to mimic | |
205 | X509_Pointer signWithX509; ///< Certificate to sign the generated request | |
206 | EVP_PKEY_Pointer signWithPkey; ///< The key of the signing certificate | |
87f237a9 | 207 | bool setValidAfter; ///< Do not mimic "Not Valid After" field |
aebe6888 CT |
208 | bool setValidBefore; ///< Do not mimic "Not Valid Before" field |
209 | bool setCommonName; ///< Replace the CN field of the mimicing subject with the given | |
210 | std::string commonName; ///< A CN to use for the generated certificate | |
211 | CertSignAlgorithm signAlgorithm; ///< The signing algorithm to use | |
06997a38 CT |
212 | /// Returns certificate database primary key. New fake certificates |
213 | /// purge old fake certificates with the same key. | |
214 | std::string & dbKey() const; | |
aebe6888 CT |
215 | private: |
216 | CertificateProperties(CertificateProperties &); | |
217 | CertificateProperties &operator =(CertificateProperties const &); | |
218 | }; | |
219 | ||
9a90aace CT |
220 | /** |
221 | \ingroup SslCrtdSslAPI | |
222 | * Decide on the kind of certificate and generate a CA- or self-signed one. | |
223 | * The generated certificate will inherite properties from certToMimic | |
224 | * Return generated certificate and private key in resultX509 and resultPkey | |
225 | * variables. | |
226 | */ | |
aebe6888 | 227 | bool generateSslCertificate(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, CertificateProperties const &properties); |
9a90aace | 228 | |
a594dbfa CT |
229 | /** |
230 | \ingroup SslCrtdSslAPI | |
231 | * Read private key from file. Make sure that this is not encrypted file. | |
232 | */ | |
780b55ee | 233 | EVP_PKEY * readSslPrivateKey(char const * keyFilename, pem_password_cb *passwd_callback = NULL); |
a594dbfa | 234 | |
95d2589c CT |
235 | /** |
236 | \ingroup SslCrtdSslAPI | |
237 | * Read certificate and private key from files. | |
238 | * \param certFilename name of file with certificate. | |
239 | * \param keyFilename name of file with private key. | |
240 | */ | |
241 | void readCertAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, char const * certFilename, char const * keyFilename); | |
242 | ||
243 | /** | |
244 | \ingroup SslCrtdSslAPI | |
245 | * Verify date. Date format it ASN1_UTCTIME. if there is out of date error, | |
246 | * return false. | |
247 | */ | |
248 | bool sslDateIsInTheFuture(char const * date); | |
249 | ||
e7bcc25f CT |
250 | /** |
251 | \ingroup SslCrtdSslAPI | |
4ece76b2 CT |
252 | * Check if the major fields of a certificates matches the properties given by |
253 | * a CertficateProperties object | |
e7bcc25f CT |
254 | \return true if the certificates matches false otherwise. |
255 | */ | |
4ece76b2 | 256 | bool certificateMatchesProperties(X509 *peer_cert, CertificateProperties const &properties); |
0efa4d01 CT |
257 | |
258 | /** | |
259 | \ingroup ServerProtocolSSLAPI | |
260 | * Returns CN from the certificate, suitable for use as a host name. | |
261 | * Uses static memory to temporary store the extracted name. | |
262 | */ | |
263 | const char *CommonHostName(X509 *x509); | |
264 | ||
265 | /** | |
266 | \ingroup ServerProtocolSSLAPI | |
267 | * Returns Organization from the certificate. | |
268 | * Uses static memory to temporary store the extracted name. | |
269 | */ | |
270 | const char *getOrganization(X509 *x509); | |
271 | ||
95d2589c CT |
272 | } // namespace Ssl |
273 | #endif // SQUID_SSL_GADGETS_H |