2 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 83 SSL accelerator support */
11 #ifndef SQUID_SSL_SUPPORT_H
12 #define SQUID_SSL_SUPPORT_H
16 #include "base/CbDataList.h"
17 #include "comm/forward.h"
18 #include "sbuf/SBuf.h"
19 #include "security/forward.h"
20 #include "ssl/gadgets.h"
22 #if HAVE_OPENSSL_X509V3_H
23 #include <openssl/x509v3.h>
25 #if HAVE_OPENSSL_ERR_H
26 #include <openssl/err.h>
28 #if HAVE_OPENSSL_ENGINE_H
29 #include <openssl/engine.h>
35 \defgroup ServerProtocolSSLAPI Server-Side SSL API
36 \ingroup ServerProtocol
39 // Custom SSL errors; assumes all official errors are positive
40 #define SQUID_X509_V_ERR_INFINITE_VALIDATION -4
41 #define SQUID_X509_V_ERR_CERT_CHANGE -3
42 #define SQUID_ERR_SSL_HANDSHAKE -2
43 #define SQUID_X509_V_ERR_DOMAIN_MISMATCH -1
44 // All SSL errors range: from smallest (negative) custom to largest SSL error
45 #define SQUID_SSL_ERROR_MIN SQUID_X509_V_ERR_CERT_CHANGE
46 #define SQUID_SSL_ERROR_MAX INT_MAX
48 // Maximum certificate validation callbacks. OpenSSL versions exceeding this
49 // limit are deemed stuck in an infinite validation loop (OpenSSL bug #3090)
50 // and will trigger the SQUID_X509_V_ERR_INFINITE_VALIDATION error.
51 // Can be set to a number up to UINT32_MAX
52 #ifndef SQUID_CERT_VALIDATION_ITERATION_MAX
53 #define SQUID_CERT_VALIDATION_ITERATION_MAX 16384
68 /// initialize the SSL library global state.
69 /// call before generating any SSL context
73 class CertValidationResponse
;
74 typedef RefCount
<CertValidationResponse
> CertValidationResponsePointer
;
76 /// Creates SSL Client connection structure and initializes SSL I/O (Comm and BIO).
77 /// On errors, emits DBG_IMPORTANT with details and returns false.
78 bool CreateClient(const Security::ContextPointer
&, const Comm::ConnectionPointer
&, const char *squidCtx
);
80 /// Creates SSL Server connection structure and initializes SSL I/O (Comm and BIO).
81 /// On errors, emits DBG_IMPORTANT with details and returns false.
82 bool CreateServer(const Security::ContextPointer
&, const Comm::ConnectionPointer
&, const char *squidCtx
);
84 void SetSessionCallbacks(Security::ContextPointer
&);
85 extern Ipc::MemMap
*SessionCache
;
86 extern const char *SessionCacheName
;
88 /// initialize a TLS server context with OpenSSL specific settings
89 bool InitServerContext(Security::ContextPointer
&, AnyP::PortCfg
&);
91 /// initialize a TLS client context with OpenSSL specific settings
92 bool InitClientContext(Security::ContextPointer
&, Security::PeerOptions
&, long options
, long flags
);
94 #if defined(CRYPTO_LOCK_X509)
95 // portability wrapper for OpenSSL 1.0 vs 1.1
96 // use Security::CertPointer instead where possible
97 inline int X509_up_ref(X509
*t
) {if (t
) CRYPTO_add(&t
->references
, 1, CRYPTO_LOCK_X509
); return 0;}
102 /// \ingroup ServerProtocolSSLAPI
103 int ssl_read_method(int, char *, int);
105 /// \ingroup ServerProtocolSSLAPI
106 int ssl_write_method(int, const char *, int);
108 /// \ingroup ServerProtocolSSLAPI
109 void ssl_shutdown_method(SSL
*ssl
);
111 /// \ingroup ServerProtocolSSLAPI
112 const char *sslGetUserEmail(SSL
*ssl
);
114 /// \ingroup ServerProtocolSSLAPI
115 const char *sslGetUserAttribute(SSL
*ssl
, const char *attribute_name
);
117 /// \ingroup ServerProtocolSSLAPI
118 const char *sslGetCAAttribute(SSL
*ssl
, const char *attribute_name
);
120 /// \ingroup ServerProtocolSSLAPI
121 const char *sslGetUserCertificatePEM(SSL
*ssl
);
123 /// \ingroup ServerProtocolSSLAPI
124 const char *sslGetUserCertificateChainPEM(SSL
*ssl
);
128 /// \ingroup ServerProtocolSSLAPI
129 typedef char const *GETX509ATTRIBUTE(X509
*, const char *);
131 /// \ingroup ServerProtocolSSLAPI
132 GETX509ATTRIBUTE GetX509UserAttribute
;
134 /// \ingroup ServerProtocolSSLAPI
135 GETX509ATTRIBUTE GetX509CAAttribute
;
137 /// \ingroup ServerProtocolSSLAPI
138 GETX509ATTRIBUTE GetX509Fingerprint
;
140 extern const EVP_MD
*DefaultSignHash
;
143 \ingroup ServerProtocolSSLAPI
144 * Supported ssl-bump modes
146 enum BumpMode
{bumpNone
= 0, bumpClientFirst
, bumpServerFirst
, bumpPeek
, bumpStare
, bumpBump
, bumpSplice
, bumpTerminate
, /*bumpErr,*/ bumpEnd
};
148 enum BumpStep
{bumpStep1
, bumpStep2
, bumpStep3
};
151 \ingroup ServerProtocolSSLAPI
152 * Short names for ssl-bump modes
154 extern std::vector
<const char *>BumpModeStr
;
157 \ingroup ServerProtocolSSLAPI
158 * Return the short name of the ssl-bump mode "bm"
160 inline const char *bumpMode(int bm
)
162 return (0 <= bm
&& bm
< Ssl::bumpEnd
) ? Ssl::BumpModeStr
.at(bm
) : NULL
;
165 /// certificates indexed by issuer name
166 typedef std::multimap
<SBuf
, X509
*> CertsIndexedList
;
169 * Load PEM-encoded certificates from the given file.
171 bool loadCerts(const char *certsFile
, Ssl::CertsIndexedList
&list
);
174 * Load PEM-encoded certificates to the squid untrusteds certificates
175 * internal DB from the given file.
177 bool loadSquidUntrusted(const char *path
);
180 * Removes all certificates from squid untrusteds certificates
181 * internal DB and frees all memory
183 void unloadSquidUntrusted();
186 * Add the certificate cert to ssl object untrusted certificates.
187 * Squid uses an attached to SSL object list of untrusted certificates,
188 * with certificates which can be used to complete incomplete chains sent
191 void SSL_add_untrusted_cert(SSL
*ssl
, X509
*cert
);
194 * Searches in serverCertificates list for the cert issuer and if not found
195 * and Authority Info Access of cert provides a URI return it.
197 const char *uriOfIssuerIfMissing(X509
*cert
, Security::CertList
const &serverCertificates
);
200 * Fill URIs queue with the uris of missing certificates from serverCertificate chain
201 * if this information provided by Authority Info Access.
203 void missingChainCertificatesUrls(std::queue
<SBuf
> &URIs
, Security::CertList
const &serverCertificates
);
206 \ingroup ServerProtocolSSLAPI
207 * Generate a certificate to be used as untrusted signing certificate, based on a trusted CA
209 bool generateUntrustedCert(Security::CertPointer
& untrustedCert
, EVP_PKEY_Pointer
& untrustedPkey
, Security::CertPointer
const & cert
, EVP_PKEY_Pointer
const & pkey
);
211 /// certificates indexed by issuer name
212 typedef std::multimap
<SBuf
, X509
*> CertsIndexedList
;
215 \ingroup ServerProtocolSSLAPI
216 * Load PEM-encoded certificates from the given file.
218 bool loadCerts(const char *certsFile
, Ssl::CertsIndexedList
&list
);
221 \ingroup ServerProtocolSSLAPI
222 * Load PEM-encoded certificates to the squid untrusteds certificates
223 * internal DB from the given file.
225 bool loadSquidUntrusted(const char *path
);
228 \ingroup ServerProtocolSSLAPI
229 * Removes all certificates from squid untrusteds certificates
230 * internal DB and frees all memory
232 void unloadSquidUntrusted();
235 \ingroup ServerProtocolSSLAPI
236 * Decide on the kind of certificate and generate a CA- or self-signed one
238 Security::ContextPointer
generateSslContext(CertificateProperties
const &properties
, AnyP::PortCfg
&port
);
241 \ingroup ServerProtocolSSLAPI
242 * Check if the certificate of the given context is still valid
243 \param sslContext The context to check
244 \param properties Check if the context certificate matches the given properties
245 \return true if the contexts certificate is valid, false otherwise
247 bool verifySslCertificate(Security::ContextPointer
&, CertificateProperties
const &);
250 \ingroup ServerProtocolSSLAPI
251 * Read private key and certificate from memory and generate SSL context
254 Security::ContextPointer
generateSslContextUsingPkeyAndCertFromMemory(const char * data
, AnyP::PortCfg
&port
);
257 \ingroup ServerProtocolSSLAPI
258 * Create an SSL context using the provided certificate and key
260 Security::ContextPointer
createSSLContext(Security::CertPointer
& x509
, Ssl::EVP_PKEY_Pointer
& pkey
, AnyP::PortCfg
&port
);
263 \ingroup ServerProtocolSSLAPI
264 * Chain signing certificate and chained certificates to an SSL Context
266 void chainCertificatesToSSLContext(Security::ContextPointer
&, AnyP::PortCfg
&);
269 \ingroup ServerProtocolSSLAPI
270 * Configure a previously unconfigured SSL context object.
272 void configureUnconfiguredSslContext(Security::ContextPointer
&, Ssl::CertSignAlgorithm signAlgorithm
, AnyP::PortCfg
&);
275 \ingroup ServerProtocolSSLAPI
276 * Generates a certificate and a private key using provided properies and set it
279 bool configureSSL(SSL
*ssl
, CertificateProperties
const &properties
, AnyP::PortCfg
&port
);
282 \ingroup ServerProtocolSSLAPI
283 * Read private key and certificate from memory and set it to SSL object
286 bool configureSSLUsingPkeyAndCertFromMemory(SSL
*ssl
, const char *data
, AnyP::PortCfg
&port
);
289 \ingroup ServerProtocolSSLAPI
290 * Adds the certificates in certList to the certificate chain of the SSL context
292 void addChainToSslContext(Security::ContextPointer
&, STACK_OF(X509
) *certList
);
295 \ingroup ServerProtocolSSLAPI
296 * Configures sslContext to use squid untrusted certificates internal list
297 * to complete certificate chains when verifies SSL servers certificates.
299 void useSquidUntrusted(SSL_CTX
*sslContext
);
302 \ingroup ServerProtocolSSLAPI
303 * Read certificate, private key and any certificates which must be chained from files.
304 * See also: Ssl::readCertAndPrivateKeyFromFiles function, defined in gadgets.h
305 * \param certFilename name of file with certificate and certificates which must be chainned.
306 * \param keyFilename name of file with private key.
308 void readCertChainAndPrivateKeyFromFiles(Security::CertPointer
& cert
, EVP_PKEY_Pointer
& pkey
, X509_STACK_Pointer
& chain
, char const * certFilename
, char const * keyFilename
);
311 \ingroup ServerProtocolSSLAPI
312 * Iterates over the X509 common and alternate names and to see if matches with given data
313 * using the check_func.
314 \param peer_cert The X509 cert to check
315 \param check_data The data with which the X509 CNs compared
316 \param check_func The function used to match X509 CNs. The CN data passed as ASN1_STRING data
317 \return 1 if any of the certificate CN matches, 0 if none matches.
319 int matchX509CommonNames(X509
*peer_cert
, void *check_data
, int (*check_func
)(void *check_data
, ASN1_STRING
*cn_data
));
322 \ingroup ServerProtocolSSLAPI
323 * Check if the certificate is valid for a server
324 \param cert The X509 cert to check.
325 \param server The server name.
326 \return true if the certificate is valid for the server or false otherwise.
328 bool checkX509ServerValidity(X509
*cert
, const char *server
);
331 \ingroup ServerProtocolSSLAPI
332 * Convert a given ASN1_TIME to a string form.
333 \param tm the time in ASN1_TIME form
334 \param buf the buffer to write the output
335 \param len write at most len bytes
336 \return The number of bytes written
338 int asn1timeToString(ASN1_TIME
*tm
, char *buf
, int len
);
341 \ingroup ServerProtocolSSLAPI
342 * Sets the hostname for the Server Name Indication (SNI) TLS extension
343 * if supported by the used openssl toolkit.
344 \return true if SNI set false otherwise
346 bool setClientSNI(SSL
*ssl
, const char *fqdn
);
352 #if defined(__cplusplus)
354 /** \cond AUTODOCS-IGNORE */
359 /// \ingroup ServerProtocolSSLAPI
361 int SSL_set_fd(SSL
*ssl
, int fd
)
363 return ::SSL_set_fd(ssl
, _get_osfhandle(fd
));
366 /// \ingroup ServerProtocolSSLAPI
367 #define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
369 } /* namespace Squid */
373 /// \ingroup ServerProtocolSSLAPI
374 #define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
376 #endif /* __cplusplus */
378 #endif /* _SQUID_WINDOWS_ */
380 #endif /* USE_OPENSSL */
381 #endif /* SQUID_SSL_SUPPORT_H */