[thirdparty/squid.git] / src / ssl / gadgets.h

/*
 * 2009/01/17
 */

#ifndef SQUID_SSL_GADGETS_H
#define SQUID_SSL_GADGETS_H

#include "base/TidyPointer.h"
#include "ssl/crtd_message.h"

#if HAVE_OPENSSL_SSL_H
#include <openssl/ssl.h>
#endif
#if HAVE_OPENSSL_TXT_DB_H
#include <openssl/txt_db.h>
#endif
#if HAVE_STRING
#include <string>
#endif

namespace Ssl
{
/**
 \defgroup SslCrtdSslAPI ssl_crtd SSL api.
 These functions must not depend on Squid runtime code such as debug()
 because they are used by ssl_crtd.
 */

/**
   \ingroup SslCrtdSslAPI
  * Add SSL locking (a.k.a. reference counting) to TidyPointer
  */
template <typename T, void (*DeAllocator)(T *t), int lock>
class LockingPointer: public TidyPointer<T, DeAllocator>
{
public:
    typedef TidyPointer<T, DeAllocator> Parent;

    LockingPointer(T *t = NULL): Parent(t) {
    }

    void resetAndLock(T *t) {
        if (t != this->get()) {
            this->reset(t);
            if (t)
                CRYPTO_add(&t->references, 1, lock);
        }
    }
};

// Macro to be used to define the C++ equivalent function of an extern "C"
// function. The C++ function suffixed with the _cpp extension
#define CtoCpp1(function, argument) \
        extern "C++" inline void function ## _cpp(argument a) { \
            function(a); \
        }

/**
 \ingroup SslCrtdSslAPI
 * TidyPointer typedefs for  common SSL objects
 */
CtoCpp1(X509_free, X509 *)
typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> X509_Pointer;

CtoCpp1(sk_X509_free, STACK_OF(X509) *)
typedef TidyPointer<STACK_OF(X509), sk_X509_free_cpp> X509_STACK_Pointer;

CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;

CtoCpp1(BN_free, BIGNUM *)
typedef TidyPointer<BIGNUM, BN_free_cpp> BIGNUM_Pointer;

CtoCpp1(BIO_free, BIO *)
typedef TidyPointer<BIO, BIO_free_cpp> BIO_Pointer;

CtoCpp1(ASN1_INTEGER_free, ASN1_INTEGER *)
typedef TidyPointer<ASN1_INTEGER, ASN1_INTEGER_free_cpp> ASN1_INT_Pointer;

CtoCpp1(TXT_DB_free, TXT_DB *)
typedef TidyPointer<TXT_DB, TXT_DB_free_cpp> TXT_DB_Pointer;

CtoCpp1(X509_NAME_free, X509_NAME *)
typedef TidyPointer<X509_NAME, X509_NAME_free_cpp> X509_NAME_Pointer;

CtoCpp1(RSA_free, RSA *)
typedef TidyPointer<RSA, RSA_free_cpp> RSA_Pointer;

CtoCpp1(X509_REQ_free, X509_REQ *)
typedef TidyPointer<X509_REQ, X509_REQ_free_cpp> X509_REQ_Pointer;

CtoCpp1(SSL_CTX_free, SSL_CTX *)
typedef TidyPointer<SSL_CTX, SSL_CTX_free_cpp> SSL_CTX_Pointer;

CtoCpp1(SSL_free, SSL *)
typedef TidyPointer<SSL, SSL_free_cpp> SSL_Pointer;

/**
 \ingroup SslCrtdSslAPI
 * Create 1024 bits rsa key.
 */
EVP_PKEY * createSslPrivateKey();

/**
 \ingroup SslCrtdSslAPI
 * Write private key and SSL certificate to memory.
 */
bool writeCertAndPrivateKeyToMemory(X509_Pointer const & cert, EVP_PKEY_Pointer const & pkey, std::string & bufferToWrite);

/**
 \ingroup SslCrtdSslAPI
 * Append SSL certificate to bufferToWrite.
 */
bool appendCertToMemory(X509_Pointer const & cert, std::string & bufferToWrite);

/**
 \ingroup SslCrtdSslAPI
 * Write private key and SSL certificate to file.
 */
bool writeCertAndPrivateKeyToFile(X509_Pointer const & cert, EVP_PKEY_Pointer const & pkey, char const * filename);

/**
 \ingroup SslCrtdSslAPI
 * Write private key and SSL certificate to memory.
 */
bool readCertAndPrivateKeyFromMemory(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, char const * bufferToRead);

/**
 \ingroup SslCrtdSslAPI
 * Read SSL certificate from memory.
 */
bool readCertFromMemory(X509_Pointer & cert, char const * bufferToRead);

/**
  \ingroup SslCrtdSslAPI
 * Supported certificate signing algorithms
 */
enum CertSignAlgorithm {algSignTrusted = 0, algSignUntrusted, algSignSelf, algSignEnd};

/**
 \ingroup SslCrtdSslAPI
 * Short names for certificate signing algorithms
 */

extern const char *CertSignAlgorithmStr[];

/**
 \ingroup SslCrtdSslAPI
 * Return the short name of the signing algorithm "sg"
 */
inline const char *certSignAlgorithm(int sg)
{
    if (sg >=0 && sg < Ssl::algSignEnd)
        return Ssl::CertSignAlgorithmStr[sg];

    return NULL;
}

/**
 \ingroup SslCrtdSslAPI
 * Return the id of the signing algorithm "sg"
 */
inline CertSignAlgorithm certSignAlgorithmId(const char *sg)
{
    for (int i = 0; i < algSignEnd && Ssl::CertSignAlgorithmStr[i] != NULL; i++)
        if (strcmp(Ssl::CertSignAlgorithmStr[i], sg) == 0)
            return (CertSignAlgorithm)i;

    return algSignEnd;
}

/**
 \ingroup SslCrtdSslAPI
 * Supported certificate adaptation algorithms
 */
enum CertAdaptAlgorithm {algSetValidAfter = 0, algSetValidBefore, algSetCommonName, algSetEnd};

/**
 \ingroup SslCrtdSslAPI
 * Short names for certificate adaptation algorithms
 */
extern const char *CertAdaptAlgorithmStr[];

/**
 \ingroup SslCrtdSslAPI
 * Return the short name of the adaptation algorithm "alg"
 */
inline const char *sslCertAdaptAlgoritm(int alg)
{
    if (alg >=0 && alg < Ssl::algSetEnd)
        return Ssl::CertAdaptAlgorithmStr[alg];

    return NULL;
}

/**
 \ingroup SslCrtdSslAPI
 * Simple struct to pass certificate generation parameters to generateSslCertificate function.
 */
class CertificateProperties
{
public:
    CertificateProperties();
    X509_Pointer mimicCert; ///< Certificate to mimic
    X509_Pointer signWithX509; ///< Certificate to sign the generated request
    EVP_PKEY_Pointer signWithPkey; ///< The key of the signing certificate
    bool setValidAfter; ///< Do not mimic "Not Valid After" field
    bool setValidBefore; ///< Do not mimic "Not Valid Before" field
    bool setCommonName; ///< Replace the CN field of the mimicing subject with the given
    std::string commonName; ///< A CN to use for the generated certificate
    CertSignAlgorithm signAlgorithm; ///< The signing algorithm to use
    /// Returns certificate database primary key. New fake certificates
    /// purge old fake certificates with the same key.
    std::string & dbKey() const;
private:
    CertificateProperties(CertificateProperties &);
    CertificateProperties &operator =(CertificateProperties const &);
};

/**
 \ingroup SslCrtdSslAPI
 * Decide on the kind of certificate and generate a CA- or self-signed one.
 * The  generated certificate will inherite properties from certToMimic
 * Return generated certificate and private key in resultX509 and resultPkey
 * variables.
 */
bool generateSslCertificate(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, CertificateProperties const &properties);

/**
 \ingroup SslCrtdSslAPI
 * Read private key from file. Make sure that this is not encrypted file.
 */
EVP_PKEY * readSslPrivateKey(char const * keyFilename, pem_password_cb *passwd_callback = NULL);

/**
 \ingroup SslCrtdSslAPI
 *  Read certificate and private key from files.
 * \param certFilename name of file with certificate.
 * \param keyFilename name of file with private key.
 */
void readCertAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, char const * certFilename, char const * keyFilename);

/**
 \ingroup SslCrtdSslAPI
 * Verify date. Date format it ASN1_UTCTIME. if there is out of date error,
 * return false.
*/
bool sslDateIsInTheFuture(char const * date);

/**
 \ingroup SslCrtdSslAPI
 * Check if the major fields of a certificates matches the properties given by
 * a CertficateProperties object
 \return true if the certificates matches false otherwise.
*/
bool certificateMatchesProperties(X509 *peer_cert, CertificateProperties const &properties);

/**
   \ingroup ServerProtocolSSLAPI
   * Returns CN from the certificate, suitable for use as a host name.
   * Uses static memory to temporary store the extracted name.
*/
const char *CommonHostName(X509 *x509);

/**
   \ingroup ServerProtocolSSLAPI
   * Returns Organization from the certificate.
   * Uses static memory to temporary store the extracted name.
*/
const char *getOrganization(X509 *x509);

} // namespace Ssl
#endif // SQUID_SSL_GADGETS_H
Commit	Line	Data
95d2589c CT	1	/*
	2	* 2009/01/17
	3	*/
	4
	5	#ifndef SQUID_SSL_GADGETS_H
	6	#define SQUID_SSL_GADGETS_H
	7
	8	#include "base/TidyPointer.h"
fb2178bb	9	#include "ssl/crtd_message.h"
95d2589c CT	10
	11	#if HAVE_OPENSSL_SSL_H
	12	#include <openssl/ssl.h>
	13	#endif
	14	#if HAVE_OPENSSL_TXT_DB_H
	15	#include <openssl/txt_db.h>
	16	#endif
	17	#if HAVE_STRING
	18	#include <string>
	19	#endif
	20
	21	namespace Ssl
	22	{
	23	/**
	24	\defgroup SslCrtdSslAPI ssl_crtd SSL api.
	25	These functions must not depend on Squid runtime code such as debug()
	26	because they are used by ssl_crtd.
	27	*/
	28
aebe6888 CT	29	/**
	30	\ingroup SslCrtdSslAPI
	31	* Add SSL locking (a.k.a. reference counting) to TidyPointer
	32	*/
	33	template <typename T, void (DeAllocator)(T t), int lock>
	34	class LockingPointer: public TidyPointer<T, DeAllocator>
	35	{
	36	public:
	37	typedef TidyPointer<T, DeAllocator> Parent;
	38
	39	LockingPointer(T *t = NULL): Parent(t) {
	40	}
	41
	42	void resetAndLock(T *t) {
	43	if (t != this->get()) {
fb165657	44	this->reset(t);
aebe6888 CT	45	if (t)
	46	CRYPTO_add(&t->references, 1, lock);
	47	}
	48	}
	49	};
	50
3a665e67	51	// Macro to be used to define the C++ equivalent function of an extern "C"
14851ec2 CT	52	// function. The C++ function suffixed with the _cpp extension
	53	#define CtoCpp1(function, argument) \
	54	extern "C++" inline void function ## _cpp(argument a) { \
	55	function(a); \
	56	}
95d2589c CT	57
	58	/**
	59	\ingroup SslCrtdSslAPI
	60	* TidyPointer typedefs for common SSL objects
	61	*/
14851ec2	62	CtoCpp1(X509_free, X509 *)
aebe6888	63	typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> X509_Pointer;
14851ec2	64
a594dbfa CT	65	CtoCpp1(sk_X509_free, STACK_OF(X509) *)
	66	typedef TidyPointer<STACK_OF(X509), sk_X509_free_cpp> X509_STACK_Pointer;
	67
14851ec2	68	CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
aebe6888	69	typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;
14851ec2 CT	70
	71	CtoCpp1(BN_free, BIGNUM *)
	72	typedef TidyPointer<BIGNUM, BN_free_cpp> BIGNUM_Pointer;
	73
	74	CtoCpp1(BIO_free, BIO *)
	75	typedef TidyPointer<BIO, BIO_free_cpp> BIO_Pointer;
	76
	77	CtoCpp1(ASN1_INTEGER_free, ASN1_INTEGER *)
	78	typedef TidyPointer<ASN1_INTEGER, ASN1_INTEGER_free_cpp> ASN1_INT_Pointer;
	79
	80	CtoCpp1(TXT_DB_free, TXT_DB *)
	81	typedef TidyPointer<TXT_DB, TXT_DB_free_cpp> TXT_DB_Pointer;
	82
	83	CtoCpp1(X509_NAME_free, X509_NAME *)
	84	typedef TidyPointer<X509_NAME, X509_NAME_free_cpp> X509_NAME_Pointer;
	85
	86	CtoCpp1(RSA_free, RSA *)
	87	typedef TidyPointer<RSA, RSA_free_cpp> RSA_Pointer;
	88
	89	CtoCpp1(X509_REQ_free, X509_REQ *)
	90	typedef TidyPointer<X509_REQ, X509_REQ_free_cpp> X509_REQ_Pointer;
	91
	92	CtoCpp1(SSL_CTX_free, SSL_CTX *)
	93	typedef TidyPointer<SSL_CTX, SSL_CTX_free_cpp> SSL_CTX_Pointer;
	94
	95	CtoCpp1(SSL_free, SSL *)
	96	typedef TidyPointer<SSL, SSL_free_cpp> SSL_Pointer;
95d2589c	97
95d2589c CT	98	/**
	99	\ingroup SslCrtdSslAPI
	100	* Create 1024 bits rsa key.
	101	*/
	102	EVP_PKEY * createSslPrivateKey();
	103
95d2589c CT	104	/**
	105	\ingroup SslCrtdSslAPI
	106	* Write private key and SSL certificate to memory.
	107	*/
	108	bool writeCertAndPrivateKeyToMemory(X509_Pointer const & cert, EVP_PKEY_Pointer const & pkey, std::string & bufferToWrite);
	109
9a90aace CT	110	/**
	111	\ingroup SslCrtdSslAPI
	112	* Append SSL certificate to bufferToWrite.
	113	*/
	114	bool appendCertToMemory(X509_Pointer const & cert, std::string & bufferToWrite);
	115
95d2589c CT	116	/**
	117	\ingroup SslCrtdSslAPI
	118	* Write private key and SSL certificate to file.
	119	*/
	120	bool writeCertAndPrivateKeyToFile(X509_Pointer const & cert, EVP_PKEY_Pointer const & pkey, char const * filename);
	121
	122	/**
	123	\ingroup SslCrtdSslAPI
	124	* Write private key and SSL certificate to memory.
	125	*/
	126	bool readCertAndPrivateKeyFromMemory(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, char const * bufferToRead);
	127
9a90aace CT	128	/**
	129	\ingroup SslCrtdSslAPI
	130	* Read SSL certificate from memory.
	131	*/
	132	bool readCertFromMemory(X509_Pointer & cert, char const * bufferToRead);
	133
aebe6888 CT	134	/**
	135	\ingroup SslCrtdSslAPI
	136	* Supported certificate signing algorithms
	137	*/
	138	enum CertSignAlgorithm {algSignTrusted = 0, algSignUntrusted, algSignSelf, algSignEnd};
	139
95d2589c CT	140	/**
95d2589c CT	141	\ingroup SslCrtdSslAPI
aebe6888	142	* Short names for certificate signing algorithms
95d2589c	143	*/
aebe6888 CT	144
aebe6888 CT	145	extern const char *CertSignAlgorithmStr[];
95d2589c CT	146
	147	/**
	148	\ingroup SslCrtdSslAPI
aebe6888 CT	149	* Return the short name of the signing algorithm "sg"
	150	*/
	151	inline const char *certSignAlgorithm(int sg)
	152	{
	153	if (sg >=0 && sg < Ssl::algSignEnd)
	154	return Ssl::CertSignAlgorithmStr[sg];
	155
	156	return NULL;
	157	}
	158
	159	/**
	160	\ingroup SslCrtdSslAPI
	161	* Return the id of the signing algorithm "sg"
95d2589c	162	*/
aebe6888 CT	163	inline CertSignAlgorithm certSignAlgorithmId(const char *sg)
	164	{
	165	for (int i = 0; i < algSignEnd && Ssl::CertSignAlgorithmStr[i] != NULL; i++)
	166	if (strcmp(Ssl::CertSignAlgorithmStr[i], sg) == 0)
	167	return (CertSignAlgorithm)i;
	168
	169	return algSignEnd;
	170	}
95d2589c	171
fb2178bb CT	172	/**
	173	\ingroup SslCrtdSslAPI
	174	* Supported certificate adaptation algorithms
	175	*/
aebe6888	176	enum CertAdaptAlgorithm {algSetValidAfter = 0, algSetValidBefore, algSetCommonName, algSetEnd};
fb2178bb CT	177
	178	/**
	179	\ingroup SslCrtdSslAPI
	180	* Short names for certificate adaptation algorithms
	181	*/
	182	extern const char *CertAdaptAlgorithmStr[];
	183
	184	/**
	185	\ingroup SslCrtdSslAPI
	186	* Return the short name of the adaptation algorithm "alg"
	187	*/
	188	inline const char *sslCertAdaptAlgoritm(int alg)
	189	{
aebe6888	190	if (alg >=0 && alg < Ssl::algSetEnd)
fb2178bb CT	191	return Ssl::CertAdaptAlgorithmStr[alg];
	192
	193	return NULL;
	194	}
	195
aebe6888 CT	196	/**
	197	\ingroup SslCrtdSslAPI
	198	* Simple struct to pass certificate generation parameters to generateSslCertificate function.
	199	*/
87f237a9 A	200	class CertificateProperties
87f237a9 A	201	{
aebe6888 CT	202	public:
	203	CertificateProperties();
	204	X509_Pointer mimicCert; ///< Certificate to mimic
	205	X509_Pointer signWithX509; ///< Certificate to sign the generated request
	206	EVP_PKEY_Pointer signWithPkey; ///< The key of the signing certificate
87f237a9	207	bool setValidAfter; ///< Do not mimic "Not Valid After" field
aebe6888 CT	208	bool setValidBefore; ///< Do not mimic "Not Valid Before" field
	209	bool setCommonName; ///< Replace the CN field of the mimicing subject with the given
	210	std::string commonName; ///< A CN to use for the generated certificate
	211	CertSignAlgorithm signAlgorithm; ///< The signing algorithm to use
06997a38 CT	212	/// Returns certificate database primary key. New fake certificates
	213	/// purge old fake certificates with the same key.
	214	std::string & dbKey() const;
aebe6888 CT	215	private:
	216	CertificateProperties(CertificateProperties &);
	217	CertificateProperties &operator =(CertificateProperties const &);
	218	};
	219
9a90aace CT	220	/**
	221	\ingroup SslCrtdSslAPI
	222	* Decide on the kind of certificate and generate a CA- or self-signed one.
	223	* The generated certificate will inherite properties from certToMimic
	224	* Return generated certificate and private key in resultX509 and resultPkey
	225	* variables.
	226	*/
aebe6888	227	bool generateSslCertificate(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, CertificateProperties const &properties);
9a90aace	228
a594dbfa CT	229	/**
	230	\ingroup SslCrtdSslAPI
	231	* Read private key from file. Make sure that this is not encrypted file.
	232	*/
780b55ee	233	EVP_PKEY * readSslPrivateKey(char const * keyFilename, pem_password_cb *passwd_callback = NULL);
a594dbfa	234
95d2589c CT	235	/**
	236	\ingroup SslCrtdSslAPI
	237	* Read certificate and private key from files.
	238	* \param certFilename name of file with certificate.
	239	* \param keyFilename name of file with private key.
	240	*/
	241	void readCertAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, char const * certFilename, char const * keyFilename);
	242
	243	/**
	244	\ingroup SslCrtdSslAPI
	245	* Verify date. Date format it ASN1_UTCTIME. if there is out of date error,
	246	* return false.
	247	*/
	248	bool sslDateIsInTheFuture(char const * date);
	249
e7bcc25f CT	250	/**
e7bcc25f CT	251	\ingroup SslCrtdSslAPI
4ece76b2 CT	252	* Check if the major fields of a certificates matches the properties given by
4ece76b2 CT	253	* a CertficateProperties object
e7bcc25f CT	254	\return true if the certificates matches false otherwise.
e7bcc25f CT	255	*/
4ece76b2	256	bool certificateMatchesProperties(X509 *peer_cert, CertificateProperties const &properties);
0efa4d01 CT	257
	258	/**
	259	\ingroup ServerProtocolSSLAPI
	260	* Returns CN from the certificate, suitable for use as a host name.
	261	* Uses static memory to temporary store the extracted name.
	262	*/
	263	const char CommonHostName(X509 x509);
	264
	265	/**
	266	\ingroup ServerProtocolSSLAPI
	267	* Returns Organization from the certificate.
	268	* Uses static memory to temporary store the extracted name.
	269	*/
	270	const char getOrganization(X509 x509);
	271
95d2589c CT	272	} // namespace Ssl
95d2589c CT	273	#endif // SQUID_SSL_GADGETS_H