[thirdparty/squid.git] / src / ssl / gadgets.h

/*
 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#ifndef SQUID_SSL_GADGETS_H
#define SQUID_SSL_GADGETS_H

#include "security/forward.h"
#include "ssl/crtd_message.h"

#if HAVE_OPENSSL_TXT_DB_H
#include <openssl/txt_db.h>
#endif
#include <string>

namespace Ssl
{
/**
 \defgroup SslCrtdSslAPI ssl_crtd SSL api.
 These functions must not depend on Squid runtime code such as debug()
 because they are used by ssl_crtd.
 */

#if SQUID_USE_CONST_SSL_METHOD
typedef const SSL_METHOD * ContextMethod;
#else
typedef SSL_METHOD * ContextMethod;
#endif

#if !defined(SQUID_SSL_SIGN_HASH_IF_NONE)
#define SQUID_SSL_SIGN_HASH_IF_NONE "sha256"
#endif

/**
 \ingroup SslCrtdSslAPI
 * TidyPointer typedefs for  common SSL objects
 */
sk_free_wrapper(sk_X509, STACK_OF(X509) *, X509_free)
typedef TidyPointer<STACK_OF(X509), sk_X509_free_wrapper> X509_STACK_Pointer;

CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
typedef Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;

CtoCpp1(BN_free, BIGNUM *)
typedef TidyPointer<BIGNUM, BN_free_cpp> BIGNUM_Pointer;

CtoCpp1(BIO_free, BIO *)
typedef TidyPointer<BIO, BIO_free_cpp> BIO_Pointer;

CtoCpp1(ASN1_INTEGER_free, ASN1_INTEGER *)
typedef TidyPointer<ASN1_INTEGER, ASN1_INTEGER_free_cpp> ASN1_INT_Pointer;

CtoCpp1(TXT_DB_free, TXT_DB *)
typedef TidyPointer<TXT_DB, TXT_DB_free_cpp> TXT_DB_Pointer;

CtoCpp1(X509_NAME_free, X509_NAME *)
typedef TidyPointer<X509_NAME, X509_NAME_free_cpp> X509_NAME_Pointer;

CtoCpp1(RSA_free, RSA *)
typedef TidyPointer<RSA, RSA_free_cpp> RSA_Pointer;

CtoCpp1(X509_REQ_free, X509_REQ *)
typedef TidyPointer<X509_REQ, X509_REQ_free_cpp> X509_REQ_Pointer;

CtoCpp1(SSL_CTX_free, SSL_CTX *)
typedef TidyPointer<SSL_CTX, SSL_CTX_free_cpp> SSL_CTX_Pointer;

CtoCpp1(SSL_free, SSL *)
typedef TidyPointer<SSL, SSL_free_cpp> SSL_Pointer;

sk_free_wrapper(sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free)
typedef TidyPointer<STACK_OF(X509_NAME), sk_X509_NAME_free_wrapper> X509_NAME_STACK_Pointer;

/**
 \ingroup SslCrtdSslAPI
 * Create 1024 bits rsa key.
 */
EVP_PKEY * createSslPrivateKey();

/**
 \ingroup SslCrtdSslAPI
 * Write private key and SSL certificate to memory.
 */
bool writeCertAndPrivateKeyToMemory(Security::CertPointer const & cert, EVP_PKEY_Pointer const & pkey, std::string & bufferToWrite);

/**
 \ingroup SslCrtdSslAPI
 * Append SSL certificate to bufferToWrite.
 */
bool appendCertToMemory(Security::CertPointer const & cert, std::string & bufferToWrite);

/**
 \ingroup SslCrtdSslAPI
 * Write private key and SSL certificate to file.
 */
bool writeCertAndPrivateKeyToFile(Security::CertPointer const & cert, EVP_PKEY_Pointer const & pkey, char const * filename);

/**
 \ingroup SslCrtdSslAPI
 * Write private key and SSL certificate to memory.
 */
bool readCertAndPrivateKeyFromMemory(Security::CertPointer & cert, EVP_PKEY_Pointer & pkey, char const * bufferToRead);

/**
 \ingroup SslCrtdSslAPI
 * Read SSL certificate from memory.
 */
bool readCertFromMemory(Security::CertPointer & cert, char const * bufferToRead);

/**
  \ingroup SslCrtdSslAPI
 * Supported certificate signing algorithms
 */
enum CertSignAlgorithm {algSignTrusted = 0, algSignUntrusted, algSignSelf, algSignEnd};

/**
 \ingroup SslCrtdSslAPI
 * Short names for certificate signing algorithms
 */

extern const char *CertSignAlgorithmStr[];

/**
 \ingroup SslCrtdSslAPI
 * Return the short name of the signing algorithm "sg"
 */
inline const char *certSignAlgorithm(int sg)
{
    if (sg >=0 && sg < Ssl::algSignEnd)
        return Ssl::CertSignAlgorithmStr[sg];

    return NULL;
}

/**
 \ingroup SslCrtdSslAPI
 * Return the id of the signing algorithm "sg"
 */
inline CertSignAlgorithm certSignAlgorithmId(const char *sg)
{
    for (int i = 0; i < algSignEnd && Ssl::CertSignAlgorithmStr[i] != NULL; i++)
        if (strcmp(Ssl::CertSignAlgorithmStr[i], sg) == 0)
            return (CertSignAlgorithm)i;

    return algSignEnd;
}

/**
 \ingroup SslCrtdSslAPI
 * Supported certificate adaptation algorithms
 */
enum CertAdaptAlgorithm {algSetValidAfter = 0, algSetValidBefore, algSetCommonName, algSetEnd};

/**
 \ingroup SslCrtdSslAPI
 * Short names for certificate adaptation algorithms
 */
extern const char *CertAdaptAlgorithmStr[];

/**
 \ingroup SslCrtdSslAPI
 * Return the short name of the adaptation algorithm "alg"
 */
inline const char *sslCertAdaptAlgoritm(int alg)
{
    if (alg >=0 && alg < Ssl::algSetEnd)
        return Ssl::CertAdaptAlgorithmStr[alg];

    return NULL;
}

/**
 \ingroup SslCrtdSslAPI
 * Simple struct to pass certificate generation parameters to generateSslCertificate function.
 */
class CertificateProperties
{
public:
    CertificateProperties();
    Security::CertPointer mimicCert; ///< Certificate to mimic
    Security::CertPointer signWithX509; ///< Certificate to sign the generated request
    EVP_PKEY_Pointer signWithPkey; ///< The key of the signing certificate
    bool setValidAfter; ///< Do not mimic "Not Valid After" field
    bool setValidBefore; ///< Do not mimic "Not Valid Before" field
    bool setCommonName; ///< Replace the CN field of the mimicing subject with the given
    std::string commonName; ///< A CN to use for the generated certificate
    CertSignAlgorithm signAlgorithm; ///< The signing algorithm to use
    const EVP_MD *signHash; ///< The signing hash to use
    /// Returns certificate database primary key. New fake certificates
    /// purge old fake certificates with the same key.
    std::string & dbKey() const;
private:
    CertificateProperties(CertificateProperties &);
    CertificateProperties &operator =(CertificateProperties const &);
};

/**
 \ingroup SslCrtdSslAPI
 * Decide on the kind of certificate and generate a CA- or self-signed one.
 * The  generated certificate will inherite properties from certToMimic
 * Return generated certificate and private key in resultX509 and resultPkey
 * variables.
 */
bool generateSslCertificate(Security::CertPointer & cert, EVP_PKEY_Pointer & pkey, CertificateProperties const &properties);

/**
 \ingroup SslCrtdSslAPI
 * Read private key from file. Make sure that this is not encrypted file.
 */
EVP_PKEY * readSslPrivateKey(char const * keyFilename, pem_password_cb *passwd_callback = NULL);

/**
 \ingroup SslCrtdSslAPI
 *  Read certificate and private key from files.
 * \param certFilename name of file with certificate.
 * \param keyFilename name of file with private key.
 */
void readCertAndPrivateKeyFromFiles(Security::CertPointer & cert, EVP_PKEY_Pointer & pkey, char const * certFilename, char const * keyFilename);

/**
 \ingroup SslCrtdSslAPI
 * Verify date. Date format it ASN1_UTCTIME. if there is out of date error,
 * return false.
*/
bool sslDateIsInTheFuture(char const * date);

/**
 \ingroup SslCrtdSslAPI
 * Check if the major fields of a certificates matches the properties given by
 * a CertficateProperties object
 \return true if the certificates matches false otherwise.
*/
bool certificateMatchesProperties(X509 *peer_cert, CertificateProperties const &properties);

/**
   \ingroup ServerProtocolSSLAPI
   * Returns CN from the certificate, suitable for use as a host name.
   * Uses static memory to temporary store the extracted name.
*/
const char *CommonHostName(X509 *x509);

/**
   \ingroup ServerProtocolSSLAPI
   * Returns Organization from the certificate.
   * Uses static memory to temporary store the extracted name.
*/
const char *getOrganization(X509 *x509);

} // namespace Ssl
#endif // SQUID_SSL_GADGETS_H
Commit	Line	Data
bbc27441	1	/*
ef57eb7b	2	* Copyright (C) 1996-2016 The Squid Software Foundation and contributors
bbc27441 AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
95d2589c CT	9	#ifndef SQUID_SSL_GADGETS_H
	10	#define SQUID_SSL_GADGETS_H
	11
f97700a0	12	#include "security/forward.h"
fb2178bb	13	#include "ssl/crtd_message.h"
95d2589c	14
95d2589c CT	15	#if HAVE_OPENSSL_TXT_DB_H
	16	#include <openssl/txt_db.h>
	17	#endif
95d2589c	18	#include <string>
95d2589c CT	19
	20	namespace Ssl
	21	{
	22	/**
	23	\defgroup SslCrtdSslAPI ssl_crtd SSL api.
	24	These functions must not depend on Squid runtime code such as debug()
	25	because they are used by ssl_crtd.
	26	*/
	27
19179f7c	28	#if SQUID_USE_CONST_SSL_METHOD
86660d64	29	typedef const SSL_METHOD * ContextMethod;
19179f7c CT	30	#else
19179f7c CT	31	typedef SSL_METHOD * ContextMethod;
86660d64 CT	32	#endif
86660d64 CT	33
3c26b00a CT	34	#if !defined(SQUID_SSL_SIGN_HASH_IF_NONE)
	35	#define SQUID_SSL_SIGN_HASH_IF_NONE "sha256"
	36	#endif
	37
95d2589c CT	38	/**
	39	\ingroup SslCrtdSslAPI
	40	* TidyPointer typedefs for common SSL objects
	41	*/
86660d64 CT	42	sk_free_wrapper(sk_X509, STACK_OF(X509) *, X509_free)
86660d64 CT	43	typedef TidyPointer<STACK_OF(X509), sk_X509_free_wrapper> X509_STACK_Pointer;
a594dbfa	44
14851ec2	45	CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
f97700a0	46	typedef Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;
14851ec2 CT	47
	48	CtoCpp1(BN_free, BIGNUM *)
	49	typedef TidyPointer<BIGNUM, BN_free_cpp> BIGNUM_Pointer;
	50
	51	CtoCpp1(BIO_free, BIO *)
	52	typedef TidyPointer<BIO, BIO_free_cpp> BIO_Pointer;
	53
	54	CtoCpp1(ASN1_INTEGER_free, ASN1_INTEGER *)
	55	typedef TidyPointer<ASN1_INTEGER, ASN1_INTEGER_free_cpp> ASN1_INT_Pointer;
	56
	57	CtoCpp1(TXT_DB_free, TXT_DB *)
	58	typedef TidyPointer<TXT_DB, TXT_DB_free_cpp> TXT_DB_Pointer;
	59
	60	CtoCpp1(X509_NAME_free, X509_NAME *)
	61	typedef TidyPointer<X509_NAME, X509_NAME_free_cpp> X509_NAME_Pointer;
	62
	63	CtoCpp1(RSA_free, RSA *)
	64	typedef TidyPointer<RSA, RSA_free_cpp> RSA_Pointer;
	65
	66	CtoCpp1(X509_REQ_free, X509_REQ *)
	67	typedef TidyPointer<X509_REQ, X509_REQ_free_cpp> X509_REQ_Pointer;
	68
	69	CtoCpp1(SSL_CTX_free, SSL_CTX *)
	70	typedef TidyPointer<SSL_CTX, SSL_CTX_free_cpp> SSL_CTX_Pointer;
	71
	72	CtoCpp1(SSL_free, SSL *)
	73	typedef TidyPointer<SSL, SSL_free_cpp> SSL_Pointer;
95d2589c	74
86660d64 CT	75	sk_free_wrapper(sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free)
	76	typedef TidyPointer<STACK_OF(X509_NAME), sk_X509_NAME_free_wrapper> X509_NAME_STACK_Pointer;
	77
95d2589c CT	78	/**
	79	\ingroup SslCrtdSslAPI
	80	* Create 1024 bits rsa key.
	81	*/
	82	EVP_PKEY * createSslPrivateKey();
	83
95d2589c CT	84	/**
	85	\ingroup SslCrtdSslAPI
	86	* Write private key and SSL certificate to memory.
	87	*/
f97700a0	88	bool writeCertAndPrivateKeyToMemory(Security::CertPointer const & cert, EVP_PKEY_Pointer const & pkey, std::string & bufferToWrite);
95d2589c	89
9a90aace CT	90	/**
	91	\ingroup SslCrtdSslAPI
	92	* Append SSL certificate to bufferToWrite.
	93	*/
f97700a0	94	bool appendCertToMemory(Security::CertPointer const & cert, std::string & bufferToWrite);
9a90aace	95
95d2589c CT	96	/**
	97	\ingroup SslCrtdSslAPI
	98	* Write private key and SSL certificate to file.
	99	*/
f97700a0	100	bool writeCertAndPrivateKeyToFile(Security::CertPointer const & cert, EVP_PKEY_Pointer const & pkey, char const * filename);
95d2589c CT	101
	102	/**
	103	\ingroup SslCrtdSslAPI
	104	* Write private key and SSL certificate to memory.
	105	*/
f97700a0	106	bool readCertAndPrivateKeyFromMemory(Security::CertPointer & cert, EVP_PKEY_Pointer & pkey, char const * bufferToRead);
95d2589c	107
9a90aace CT	108	/**
	109	\ingroup SslCrtdSslAPI
	110	* Read SSL certificate from memory.
	111	*/
f97700a0	112	bool readCertFromMemory(Security::CertPointer & cert, char const * bufferToRead);
9a90aace	113
aebe6888 CT	114	/**
	115	\ingroup SslCrtdSslAPI
	116	* Supported certificate signing algorithms
	117	*/
	118	enum CertSignAlgorithm {algSignTrusted = 0, algSignUntrusted, algSignSelf, algSignEnd};
	119
95d2589c CT	120	/**
95d2589c CT	121	\ingroup SslCrtdSslAPI
aebe6888	122	* Short names for certificate signing algorithms
95d2589c	123	*/
aebe6888 CT	124
aebe6888 CT	125	extern const char *CertSignAlgorithmStr[];
95d2589c CT	126
	127	/**
	128	\ingroup SslCrtdSslAPI
aebe6888 CT	129	* Return the short name of the signing algorithm "sg"
	130	*/
	131	inline const char *certSignAlgorithm(int sg)
	132	{
	133	if (sg >=0 && sg < Ssl::algSignEnd)
	134	return Ssl::CertSignAlgorithmStr[sg];
	135
	136	return NULL;
	137	}
	138
	139	/**
	140	\ingroup SslCrtdSslAPI
	141	* Return the id of the signing algorithm "sg"
95d2589c	142	*/
aebe6888 CT	143	inline CertSignAlgorithm certSignAlgorithmId(const char *sg)
	144	{
	145	for (int i = 0; i < algSignEnd && Ssl::CertSignAlgorithmStr[i] != NULL; i++)
	146	if (strcmp(Ssl::CertSignAlgorithmStr[i], sg) == 0)
	147	return (CertSignAlgorithm)i;
	148
	149	return algSignEnd;
	150	}
95d2589c	151
fb2178bb CT	152	/**
	153	\ingroup SslCrtdSslAPI
	154	* Supported certificate adaptation algorithms
	155	*/
aebe6888	156	enum CertAdaptAlgorithm {algSetValidAfter = 0, algSetValidBefore, algSetCommonName, algSetEnd};
fb2178bb CT	157
	158	/**
	159	\ingroup SslCrtdSslAPI
	160	* Short names for certificate adaptation algorithms
	161	*/
	162	extern const char *CertAdaptAlgorithmStr[];
	163
	164	/**
	165	\ingroup SslCrtdSslAPI
	166	* Return the short name of the adaptation algorithm "alg"
	167	*/
	168	inline const char *sslCertAdaptAlgoritm(int alg)
	169	{
aebe6888	170	if (alg >=0 && alg < Ssl::algSetEnd)
fb2178bb CT	171	return Ssl::CertAdaptAlgorithmStr[alg];
	172
	173	return NULL;
	174	}
	175
aebe6888 CT	176	/**
	177	\ingroup SslCrtdSslAPI
	178	* Simple struct to pass certificate generation parameters to generateSslCertificate function.
	179	*/
87f237a9 A	180	class CertificateProperties
87f237a9 A	181	{
aebe6888 CT	182	public:
aebe6888 CT	183	CertificateProperties();
f97700a0 AJ	184	Security::CertPointer mimicCert; ///< Certificate to mimic
f97700a0 AJ	185	Security::CertPointer signWithX509; ///< Certificate to sign the generated request
aebe6888	186	EVP_PKEY_Pointer signWithPkey; ///< The key of the signing certificate
87f237a9	187	bool setValidAfter; ///< Do not mimic "Not Valid After" field
aebe6888 CT	188	bool setValidBefore; ///< Do not mimic "Not Valid Before" field
	189	bool setCommonName; ///< Replace the CN field of the mimicing subject with the given
	190	std::string commonName; ///< A CN to use for the generated certificate
	191	CertSignAlgorithm signAlgorithm; ///< The signing algorithm to use
3c26b00a	192	const EVP_MD *signHash; ///< The signing hash to use
06997a38 CT	193	/// Returns certificate database primary key. New fake certificates
	194	/// purge old fake certificates with the same key.
	195	std::string & dbKey() const;
aebe6888 CT	196	private:
	197	CertificateProperties(CertificateProperties &);
	198	CertificateProperties &operator =(CertificateProperties const &);
	199	};
	200
9a90aace CT	201	/**
	202	\ingroup SslCrtdSslAPI
	203	* Decide on the kind of certificate and generate a CA- or self-signed one.
	204	* The generated certificate will inherite properties from certToMimic
	205	* Return generated certificate and private key in resultX509 and resultPkey
	206	* variables.
	207	*/
f97700a0	208	bool generateSslCertificate(Security::CertPointer & cert, EVP_PKEY_Pointer & pkey, CertificateProperties const &properties);
9a90aace	209
a594dbfa CT	210	/**
	211	\ingroup SslCrtdSslAPI
	212	* Read private key from file. Make sure that this is not encrypted file.
	213	*/
780b55ee	214	EVP_PKEY * readSslPrivateKey(char const * keyFilename, pem_password_cb *passwd_callback = NULL);
a594dbfa	215
95d2589c CT	216	/**
	217	\ingroup SslCrtdSslAPI
	218	* Read certificate and private key from files.
	219	* \param certFilename name of file with certificate.
	220	* \param keyFilename name of file with private key.
	221	*/
f97700a0	222	void readCertAndPrivateKeyFromFiles(Security::CertPointer & cert, EVP_PKEY_Pointer & pkey, char const * certFilename, char const * keyFilename);
95d2589c CT	223
	224	/**
	225	\ingroup SslCrtdSslAPI
	226	* Verify date. Date format it ASN1_UTCTIME. if there is out of date error,
	227	* return false.
	228	*/
	229	bool sslDateIsInTheFuture(char const * date);
	230
e7bcc25f CT	231	/**
e7bcc25f CT	232	\ingroup SslCrtdSslAPI
4ece76b2 CT	233	* Check if the major fields of a certificates matches the properties given by
4ece76b2 CT	234	* a CertficateProperties object
e7bcc25f CT	235	\return true if the certificates matches false otherwise.
e7bcc25f CT	236	*/
4ece76b2	237	bool certificateMatchesProperties(X509 *peer_cert, CertificateProperties const &properties);
0efa4d01 CT	238
	239	/**
	240	\ingroup ServerProtocolSSLAPI
	241	* Returns CN from the certificate, suitable for use as a host name.
	242	* Uses static memory to temporary store the extracted name.
	243	*/
	244	const char CommonHostName(X509 x509);
	245
	246	/**
	247	\ingroup ServerProtocolSSLAPI
	248	* Returns Organization from the certificate.
	249	* Uses static memory to temporary store the extracted name.
	250	*/
	251	const char getOrganization(X509 x509);
	252
95d2589c CT	253	} // namespace Ssl
95d2589c CT	254	#endif // SQUID_SSL_GADGETS_H
f53969cc	255