]>
Commit | Line | Data |
---|---|---|
bbc27441 | 1 | /* |
ef57eb7b | 2 | * Copyright (C) 1996-2016 The Squid Software Foundation and contributors |
bbc27441 AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
95d2589c CT |
9 | #ifndef SQUID_SSL_GADGETS_H |
10 | #define SQUID_SSL_GADGETS_H | |
11 | ||
f97700a0 | 12 | #include "security/forward.h" |
fb2178bb | 13 | #include "ssl/crtd_message.h" |
95d2589c | 14 | |
95d2589c CT |
15 | #if HAVE_OPENSSL_TXT_DB_H |
16 | #include <openssl/txt_db.h> | |
17 | #endif | |
95d2589c | 18 | #include <string> |
95d2589c CT |
19 | |
20 | namespace Ssl | |
21 | { | |
22 | /** | |
23 | \defgroup SslCrtdSslAPI ssl_crtd SSL api. | |
24 | These functions must not depend on Squid runtime code such as debug() | |
25 | because they are used by ssl_crtd. | |
26 | */ | |
27 | ||
19179f7c | 28 | #if SQUID_USE_CONST_SSL_METHOD |
86660d64 | 29 | typedef const SSL_METHOD * ContextMethod; |
19179f7c CT |
30 | #else |
31 | typedef SSL_METHOD * ContextMethod; | |
86660d64 CT |
32 | #endif |
33 | ||
3c26b00a CT |
34 | #if !defined(SQUID_SSL_SIGN_HASH_IF_NONE) |
35 | #define SQUID_SSL_SIGN_HASH_IF_NONE "sha256" | |
36 | #endif | |
37 | ||
95d2589c CT |
38 | /** |
39 | \ingroup SslCrtdSslAPI | |
40 | * TidyPointer typedefs for common SSL objects | |
41 | */ | |
86660d64 CT |
42 | sk_free_wrapper(sk_X509, STACK_OF(X509) *, X509_free) |
43 | typedef TidyPointer<STACK_OF(X509), sk_X509_free_wrapper> X509_STACK_Pointer; | |
a594dbfa | 44 | |
14851ec2 | 45 | CtoCpp1(EVP_PKEY_free, EVP_PKEY *) |
f97700a0 | 46 | typedef Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer; |
14851ec2 CT |
47 | |
48 | CtoCpp1(BN_free, BIGNUM *) | |
49 | typedef TidyPointer<BIGNUM, BN_free_cpp> BIGNUM_Pointer; | |
50 | ||
51 | CtoCpp1(BIO_free, BIO *) | |
52 | typedef TidyPointer<BIO, BIO_free_cpp> BIO_Pointer; | |
53 | ||
54 | CtoCpp1(ASN1_INTEGER_free, ASN1_INTEGER *) | |
55 | typedef TidyPointer<ASN1_INTEGER, ASN1_INTEGER_free_cpp> ASN1_INT_Pointer; | |
56 | ||
57 | CtoCpp1(TXT_DB_free, TXT_DB *) | |
58 | typedef TidyPointer<TXT_DB, TXT_DB_free_cpp> TXT_DB_Pointer; | |
59 | ||
60 | CtoCpp1(X509_NAME_free, X509_NAME *) | |
61 | typedef TidyPointer<X509_NAME, X509_NAME_free_cpp> X509_NAME_Pointer; | |
62 | ||
63 | CtoCpp1(RSA_free, RSA *) | |
64 | typedef TidyPointer<RSA, RSA_free_cpp> RSA_Pointer; | |
65 | ||
66 | CtoCpp1(X509_REQ_free, X509_REQ *) | |
67 | typedef TidyPointer<X509_REQ, X509_REQ_free_cpp> X509_REQ_Pointer; | |
68 | ||
69 | CtoCpp1(SSL_CTX_free, SSL_CTX *) | |
70 | typedef TidyPointer<SSL_CTX, SSL_CTX_free_cpp> SSL_CTX_Pointer; | |
71 | ||
72 | CtoCpp1(SSL_free, SSL *) | |
73 | typedef TidyPointer<SSL, SSL_free_cpp> SSL_Pointer; | |
95d2589c | 74 | |
86660d64 CT |
75 | sk_free_wrapper(sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free) |
76 | typedef TidyPointer<STACK_OF(X509_NAME), sk_X509_NAME_free_wrapper> X509_NAME_STACK_Pointer; | |
77 | ||
95d2589c CT |
78 | /** |
79 | \ingroup SslCrtdSslAPI | |
80 | * Create 1024 bits rsa key. | |
81 | */ | |
82 | EVP_PKEY * createSslPrivateKey(); | |
83 | ||
95d2589c CT |
84 | /** |
85 | \ingroup SslCrtdSslAPI | |
86 | * Write private key and SSL certificate to memory. | |
87 | */ | |
f97700a0 | 88 | bool writeCertAndPrivateKeyToMemory(Security::CertPointer const & cert, EVP_PKEY_Pointer const & pkey, std::string & bufferToWrite); |
95d2589c | 89 | |
9a90aace CT |
90 | /** |
91 | \ingroup SslCrtdSslAPI | |
92 | * Append SSL certificate to bufferToWrite. | |
93 | */ | |
f97700a0 | 94 | bool appendCertToMemory(Security::CertPointer const & cert, std::string & bufferToWrite); |
9a90aace | 95 | |
95d2589c CT |
96 | /** |
97 | \ingroup SslCrtdSslAPI | |
98 | * Write private key and SSL certificate to file. | |
99 | */ | |
f97700a0 | 100 | bool writeCertAndPrivateKeyToFile(Security::CertPointer const & cert, EVP_PKEY_Pointer const & pkey, char const * filename); |
95d2589c CT |
101 | |
102 | /** | |
103 | \ingroup SslCrtdSslAPI | |
104 | * Write private key and SSL certificate to memory. | |
105 | */ | |
f97700a0 | 106 | bool readCertAndPrivateKeyFromMemory(Security::CertPointer & cert, EVP_PKEY_Pointer & pkey, char const * bufferToRead); |
95d2589c | 107 | |
9a90aace CT |
108 | /** |
109 | \ingroup SslCrtdSslAPI | |
110 | * Read SSL certificate from memory. | |
111 | */ | |
f97700a0 | 112 | bool readCertFromMemory(Security::CertPointer & cert, char const * bufferToRead); |
9a90aace | 113 | |
aebe6888 CT |
114 | /** |
115 | \ingroup SslCrtdSslAPI | |
116 | * Supported certificate signing algorithms | |
117 | */ | |
118 | enum CertSignAlgorithm {algSignTrusted = 0, algSignUntrusted, algSignSelf, algSignEnd}; | |
119 | ||
95d2589c CT |
120 | /** |
121 | \ingroup SslCrtdSslAPI | |
aebe6888 | 122 | * Short names for certificate signing algorithms |
95d2589c | 123 | */ |
aebe6888 CT |
124 | |
125 | extern const char *CertSignAlgorithmStr[]; | |
95d2589c CT |
126 | |
127 | /** | |
128 | \ingroup SslCrtdSslAPI | |
aebe6888 CT |
129 | * Return the short name of the signing algorithm "sg" |
130 | */ | |
131 | inline const char *certSignAlgorithm(int sg) | |
132 | { | |
133 | if (sg >=0 && sg < Ssl::algSignEnd) | |
134 | return Ssl::CertSignAlgorithmStr[sg]; | |
135 | ||
136 | return NULL; | |
137 | } | |
138 | ||
139 | /** | |
140 | \ingroup SslCrtdSslAPI | |
141 | * Return the id of the signing algorithm "sg" | |
95d2589c | 142 | */ |
aebe6888 CT |
143 | inline CertSignAlgorithm certSignAlgorithmId(const char *sg) |
144 | { | |
145 | for (int i = 0; i < algSignEnd && Ssl::CertSignAlgorithmStr[i] != NULL; i++) | |
146 | if (strcmp(Ssl::CertSignAlgorithmStr[i], sg) == 0) | |
147 | return (CertSignAlgorithm)i; | |
148 | ||
149 | return algSignEnd; | |
150 | } | |
95d2589c | 151 | |
fb2178bb CT |
152 | /** |
153 | \ingroup SslCrtdSslAPI | |
154 | * Supported certificate adaptation algorithms | |
155 | */ | |
aebe6888 | 156 | enum CertAdaptAlgorithm {algSetValidAfter = 0, algSetValidBefore, algSetCommonName, algSetEnd}; |
fb2178bb CT |
157 | |
158 | /** | |
159 | \ingroup SslCrtdSslAPI | |
160 | * Short names for certificate adaptation algorithms | |
161 | */ | |
162 | extern const char *CertAdaptAlgorithmStr[]; | |
163 | ||
164 | /** | |
165 | \ingroup SslCrtdSslAPI | |
166 | * Return the short name of the adaptation algorithm "alg" | |
167 | */ | |
168 | inline const char *sslCertAdaptAlgoritm(int alg) | |
169 | { | |
aebe6888 | 170 | if (alg >=0 && alg < Ssl::algSetEnd) |
fb2178bb CT |
171 | return Ssl::CertAdaptAlgorithmStr[alg]; |
172 | ||
173 | return NULL; | |
174 | } | |
175 | ||
aebe6888 CT |
176 | /** |
177 | \ingroup SslCrtdSslAPI | |
178 | * Simple struct to pass certificate generation parameters to generateSslCertificate function. | |
179 | */ | |
87f237a9 A |
180 | class CertificateProperties |
181 | { | |
aebe6888 CT |
182 | public: |
183 | CertificateProperties(); | |
f97700a0 AJ |
184 | Security::CertPointer mimicCert; ///< Certificate to mimic |
185 | Security::CertPointer signWithX509; ///< Certificate to sign the generated request | |
aebe6888 | 186 | EVP_PKEY_Pointer signWithPkey; ///< The key of the signing certificate |
87f237a9 | 187 | bool setValidAfter; ///< Do not mimic "Not Valid After" field |
aebe6888 CT |
188 | bool setValidBefore; ///< Do not mimic "Not Valid Before" field |
189 | bool setCommonName; ///< Replace the CN field of the mimicing subject with the given | |
190 | std::string commonName; ///< A CN to use for the generated certificate | |
191 | CertSignAlgorithm signAlgorithm; ///< The signing algorithm to use | |
3c26b00a | 192 | const EVP_MD *signHash; ///< The signing hash to use |
06997a38 CT |
193 | /// Returns certificate database primary key. New fake certificates |
194 | /// purge old fake certificates with the same key. | |
195 | std::string & dbKey() const; | |
aebe6888 CT |
196 | private: |
197 | CertificateProperties(CertificateProperties &); | |
198 | CertificateProperties &operator =(CertificateProperties const &); | |
199 | }; | |
200 | ||
9a90aace CT |
201 | /** |
202 | \ingroup SslCrtdSslAPI | |
203 | * Decide on the kind of certificate and generate a CA- or self-signed one. | |
204 | * The generated certificate will inherite properties from certToMimic | |
205 | * Return generated certificate and private key in resultX509 and resultPkey | |
206 | * variables. | |
207 | */ | |
f97700a0 | 208 | bool generateSslCertificate(Security::CertPointer & cert, EVP_PKEY_Pointer & pkey, CertificateProperties const &properties); |
9a90aace | 209 | |
a594dbfa CT |
210 | /** |
211 | \ingroup SslCrtdSslAPI | |
212 | * Read private key from file. Make sure that this is not encrypted file. | |
213 | */ | |
780b55ee | 214 | EVP_PKEY * readSslPrivateKey(char const * keyFilename, pem_password_cb *passwd_callback = NULL); |
a594dbfa | 215 | |
95d2589c CT |
216 | /** |
217 | \ingroup SslCrtdSslAPI | |
218 | * Read certificate and private key from files. | |
219 | * \param certFilename name of file with certificate. | |
220 | * \param keyFilename name of file with private key. | |
221 | */ | |
f97700a0 | 222 | void readCertAndPrivateKeyFromFiles(Security::CertPointer & cert, EVP_PKEY_Pointer & pkey, char const * certFilename, char const * keyFilename); |
95d2589c CT |
223 | |
224 | /** | |
225 | \ingroup SslCrtdSslAPI | |
226 | * Verify date. Date format it ASN1_UTCTIME. if there is out of date error, | |
227 | * return false. | |
228 | */ | |
229 | bool sslDateIsInTheFuture(char const * date); | |
230 | ||
e7bcc25f CT |
231 | /** |
232 | \ingroup SslCrtdSslAPI | |
4ece76b2 CT |
233 | * Check if the major fields of a certificates matches the properties given by |
234 | * a CertficateProperties object | |
e7bcc25f CT |
235 | \return true if the certificates matches false otherwise. |
236 | */ | |
4ece76b2 | 237 | bool certificateMatchesProperties(X509 *peer_cert, CertificateProperties const &properties); |
0efa4d01 CT |
238 | |
239 | /** | |
240 | \ingroup ServerProtocolSSLAPI | |
241 | * Returns CN from the certificate, suitable for use as a host name. | |
242 | * Uses static memory to temporary store the extracted name. | |
243 | */ | |
244 | const char *CommonHostName(X509 *x509); | |
245 | ||
246 | /** | |
247 | \ingroup ServerProtocolSSLAPI | |
248 | * Returns Organization from the certificate. | |
249 | * Uses static memory to temporary store the extracted name. | |
250 | */ | |
251 | const char *getOrganization(X509 *x509); | |
252 | ||
95d2589c CT |
253 | } // namespace Ssl |
254 | #endif // SQUID_SSL_GADGETS_H | |
f53969cc | 255 |