[thirdparty/squid.git] / src / security / forward.h

/*
 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#ifndef SQUID_SRC_SECURITY_FORWARD_H
#define SQUID_SRC_SECURITY_FORWARD_H

#include "base/CbDataList.h"
#include "base/forward.h"
#include "base/ToCpp.h"
#include "security/LockingPointer.h"

#if USE_GNUTLS && HAVE_GNUTLS_ABSTRACT_H
#include <gnutls/abstract.h>
#endif
#include <list>
#include <limits>
#include <memory>
#if USE_OPENSSL
#include "compat/openssl.h"
#if HAVE_OPENSSL_BN_H
#include <openssl/bn.h>
#endif
#if HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
#endif
#if HAVE_OPENSSL_RSA_H
#include <openssl/rsa.h>
#endif
#if HAVE_OPENSSL_X509_H
#include <openssl/x509.h>
#endif
#endif /* USE_OPENSSL */
#include <unordered_set>

#if USE_OPENSSL
// Macro to be used to define the C++ wrapper functor of the sk_*_pop_free
// OpenSSL family of functions. The C++ functor is suffixed with the _free_wrapper
// extension
#define sk_dtor_wrapper(sk_object, argument_type, freefunction) \
        struct sk_object ## _free_wrapper { \
            void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \
        }
#endif /* USE_OPENSSL */

/* flags a SSL connection can be configured with */
#define SSL_FLAG_NO_DEFAULT_CA      (1<<0)
#define SSL_FLAG_DELAYED_AUTH       (1<<1)
#define SSL_FLAG_DONT_VERIFY_PEER   (1<<2)
#define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3)
#define SSL_FLAG_NO_SESSION_REUSE   (1<<4)
#define SSL_FLAG_VERIFY_CRL         (1<<5)
#define SSL_FLAG_VERIFY_CRL_ALL     (1<<6)
#define SSL_FLAG_CONDITIONAL_AUTH   (1<<7)

#if !USE_OPENSSL && !USE_GNUTLS
/// A helper type to keep all three possible underlying types of the
/// Security::Certificate typedef below inside global namespace, so that
/// argument-dependent lookup for operator "<<" (Certificate) works inside
/// functions declared in Security and global namespaces.
struct notls_x509 {};
#endif

/// Network/connection security abstraction layer
namespace Security
{

class CertError;
/// Holds a list of X.509 certificate errors
typedef CbDataList<Security::CertError> CertErrors;

#if USE_OPENSSL
typedef X509 Certificate;
#elif USE_GNUTLS
typedef struct gnutls_x509_crt_int Certificate;
#else
typedef struct notls_x509 Certificate;
#endif

#if USE_OPENSSL
CtoCpp1(X509_free, X509 *);
typedef Security::LockingPointer<X509, X509_free_cpp, HardFun<int, X509 *, X509_up_ref> > CertPointer;
#elif USE_GNUTLS
typedef std::shared_ptr<struct gnutls_x509_crt_int> CertPointer;
#else
typedef std::shared_ptr<Certificate> CertPointer;
#endif

#if USE_OPENSSL
CtoCpp1(X509_CRL_free, X509_CRL *);
typedef Security::LockingPointer<X509_CRL, X509_CRL_free_cpp, HardFun<int, X509_CRL *, X509_CRL_up_ref> > CrlPointer;
#elif USE_GNUTLS
CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t);
typedef Security::LockingPointer<struct gnutls_x509_crl_int, gnutls_x509_crl_deinit> CrlPointer;
#else
typedef void *CrlPointer;
#endif

typedef std::list<Security::CertPointer> CertList;

typedef std::list<Security::CrlPointer> CertRevokeList;

#if USE_OPENSSL
CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
using PrivateKeyPointer = Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref>>;
#elif USE_GNUTLS
using PrivateKeyPointer = std::shared_ptr<struct gnutls_x509_privkey_int>;
#else
using PrivateKeyPointer = std::shared_ptr<void>;
#endif

#if USE_OPENSSL
#if OPENSSL_VERSION_MAJOR < 3
CtoCpp1(DH_free, DH *);
typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer;
#else
using DhePointer = PrivateKeyPointer;
#endif
#elif USE_GNUTLS
using DhePointer = void *;
#else
using DhePointer = void *;
#endif

class EncryptorAnswer;

/// Squid-defined error code (<0), an error code returned by X.509 API, or zero
typedef int ErrorCode;

/// TLS library-reported non-validation error
#if USE_OPENSSL
/// the result of the first ERR_get_error(3SSL) call after a library call;
/// `openssl errstr` expands these numbers into human-friendlier strings like
/// `error:1408F09C:SSL routines:ssl3_get_record:http request`
typedef unsigned long LibErrorCode;
#elif USE_GNUTLS
/// the result of an API function like gnutls_handshake() (e.g.,
/// GNUTLS_E_WARNING_ALERT_RECEIVED)
typedef int LibErrorCode;
#else
/// should always be zero and virtually unused
typedef int LibErrorCode;
#endif

/// converts numeric LibErrorCode into a human-friendlier string
inline const char *ErrorString(const LibErrorCode code) {
#if USE_OPENSSL
    return ERR_error_string(code, nullptr);
#elif USE_GNUTLS
    return gnutls_strerror(code);
#else
    (void)code;
    return "[no TLS library]";
#endif
}

/// set of Squid defined TLS error codes
/// \note using std::unordered_set ensures values are unique, with fast lookup
typedef std::unordered_set<Security::ErrorCode> Errors;

namespace Io
{
enum Type {
#if USE_OPENSSL
    BIO_TO_CLIENT = 6000,
    BIO_TO_SERVER
#elif USE_GNUTLS
    // NP: this is odd looking but correct.
    // 'to-client' means we are a server, and vice versa.
    BIO_TO_CLIENT = GNUTLS_SERVER,
    BIO_TO_SERVER = GNUTLS_CLIENT
#else
    BIO_TO_CLIENT = 6000,
    BIO_TO_SERVER
#endif
};

} // namespace Io

// TODO: Either move to Security::Io or remove/restrict the Io namespace.
class IoResult;

class CommunicationSecrets;
class KeyData;
class KeyLog;

#if USE_OPENSSL
using ParsedOptions = uint64_t;
#elif USE_GNUTLS
typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions;
#else
class ParsedOptions {}; // we never parse/use TLS options in this case
#endif

/// bitmask representing configured http(s)_port `sslflags`
/// as well tls_outgoing_options `flags`, cache_peer `sslflags`, and
/// icap_service `tls-flags`
typedef long ParsedPortFlags;

class PeerConnector;
class BlindPeerConnector;
class PeerOptions;

class ServerOptions;

class ErrorDetail;
typedef RefCount<ErrorDetail> ErrorDetailPointer;

std::ostream &operator <<(std::ostream &, const KeyLog &);

void OpenLogs(); ///< opens logs enabled in the current configuration
void RotateLogs(); ///< rotates logs opened by OpenLogs()
void CloseLogs(); ///< closes logs opened by OpenLogs()

} // namespace Security

/// Squid-specific TLS handling errors (a subset of ErrorCode)
/// These errors either distinguish high-level library calls/contexts or
/// supplement official certificate validation errors to cover special cases.
/// We use negative values, assuming that those official errors are positive.
enum {
    SQUID_TLS_ERR_OFFSET = std::numeric_limits<int>::min(),

    /* TLS library calls/contexts other than validation (e.g., I/O) */
    SQUID_TLS_ERR_ACCEPT, ///< failure to accept a connection from a TLS client
    SQUID_TLS_ERR_CONNECT, ///< failure to establish a connection with a TLS server

    /* certificate validation problems not covered by official errors */
    SQUID_X509_V_ERR_CERT_CHANGE,
    SQUID_X509_V_ERR_DOMAIN_MISMATCH,
    SQUID_X509_V_ERR_INFINITE_VALIDATION,

    SQUID_TLS_ERR_END
};

#endif /* SQUID_SRC_SECURITY_FORWARD_H */
Commit	Line	Data
fcfdf7f9	1	/*
b8ae064d	2	* Copyright (C) 1996-2023 The Squid Software Foundation and contributors
fcfdf7f9 AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
	9	#ifndef SQUID_SRC_SECURITY_FORWARD_H
	10	#define SQUID_SRC_SECURITY_FORWARD_H
	11
92e3827b	12	#include "base/CbDataList.h"
83b053a0	13	#include "base/forward.h"
a7b75c64 FC	14	#include "base/ToCpp.h"
a7b75c64 FC	15	#include "security/LockingPointer.h"
f97700a0	16
51e09c08 AJ	17	#if USE_GNUTLS && HAVE_GNUTLS_ABSTRACT_H
51e09c08 AJ	18	#include <gnutls/abstract.h>
f97700a0	19	#endif
6b19d1f9	20	#include <list>
83b053a0	21	#include <limits>
a7b75c64	22	#include <memory>
24b30fdc EQ	23	#if USE_OPENSSL
	24	#include "compat/openssl.h"
	25	#if HAVE_OPENSSL_BN_H
	26	#include <openssl/bn.h>
	27	#endif
	28	#if HAVE_OPENSSL_ERR_H
ea574635 AJ	29	#include <openssl/err.h>
ea574635 AJ	30	#endif
24b30fdc EQ	31	#if HAVE_OPENSSL_RSA_H
	32	#include <openssl/rsa.h>
	33	#endif
a7b75c64 FC	34	#if HAVE_OPENSSL_X509_H
	35	#include <openssl/x509.h>
	36	#endif
24b30fdc	37	#endif /* USE_OPENSSL */
83f8d8f9	38	#include <unordered_set>
fcfdf7f9	39
48c7e8cb AJ	40	#if USE_OPENSSL
	41	// Macro to be used to define the C++ wrapper functor of the sk_*_pop_free
	42	// OpenSSL family of functions. The C++ functor is suffixed with the _free_wrapper
	43	// extension
	44	#define sk_dtor_wrapper(sk_object, argument_type, freefunction) \
	45	struct sk_object ## _free_wrapper { \
	46	void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \
	47	}
	48	#endif /* USE_OPENSSL */
	49
b24e9ae7 AJ	50	/* flags a SSL connection can be configured with */
	51	#define SSL_FLAG_NO_DEFAULT_CA (1<<0)
	52	#define SSL_FLAG_DELAYED_AUTH (1<<1)
	53	#define SSL_FLAG_DONT_VERIFY_PEER (1<<2)
	54	#define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3)
	55	#define SSL_FLAG_NO_SESSION_REUSE (1<<4)
	56	#define SSL_FLAG_VERIFY_CRL (1<<5)
	57	#define SSL_FLAG_VERIFY_CRL_ALL (1<<6)
983fab6e	58	#define SSL_FLAG_CONDITIONAL_AUTH (1<<7)
b24e9ae7	59
907831e6 AR	60	#if !USE_OPENSSL && !USE_GNUTLS
	61	/// A helper type to keep all three possible underlying types of the
	62	/// Security::Certificate typedef below inside global namespace, so that
	63	/// argument-dependent lookup for operator "<<" (Certificate) works inside
	64	/// functions declared in Security and global namespaces.
	65	struct notls_x509 {};
	66	#endif
	67
fcfdf7f9 AJ	68	/// Network/connection security abstraction layer
	69	namespace Security
	70	{
	71
92e3827b AJ	72	class CertError;
	73	/// Holds a list of X.509 certificate errors
	74	typedef CbDataList<Security::CertError> CertErrors;
	75
83b053a0 CT	76	#if USE_OPENSSL
	77	typedef X509 Certificate;
	78	#elif USE_GNUTLS
	79	typedef struct gnutls_x509_crt_int Certificate;
	80	#else
907831e6	81	typedef struct notls_x509 Certificate;
83b053a0 CT	82	#endif
83b053a0 CT	83
f97700a0	84	#if USE_OPENSSL
f439fbd2	85	CtoCpp1(X509_free, X509 *);
4103b0c1	86	typedef Security::LockingPointer<X509, X509_free_cpp, HardFun<int, X509 *, X509_up_ref> > CertPointer;
f97700a0	87	#elif USE_GNUTLS
51e09c08	88	typedef std::shared_ptr<struct gnutls_x509_crt_int> CertPointer;
f97700a0	89	#else
83b053a0	90	typedef std::shared_ptr<Certificate> CertPointer;
f97700a0 AJ	91	#endif
f97700a0 AJ	92
6b19d1f9	93	#if USE_OPENSSL
f439fbd2	94	CtoCpp1(X509_CRL_free, X509_CRL *);
4103b0c1	95	typedef Security::LockingPointer<X509_CRL, X509_CRL_free_cpp, HardFun<int, X509_CRL *, X509_CRL_up_ref> > CrlPointer;
6b19d1f9	96	#elif USE_GNUTLS
f439fbd2	97	CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t);
4103b0c1	98	typedef Security::LockingPointer<struct gnutls_x509_crl_int, gnutls_x509_crl_deinit> CrlPointer;
6b19d1f9 AJ	99	#else
	100	typedef void *CrlPointer;
	101	#endif
	102
a34d1d2d CT	103	typedef std::list<Security::CertPointer> CertList;
a34d1d2d CT	104
4b5ea8a6 CT	105	typedef std::list<Security::CrlPointer> CertRevokeList;
4b5ea8a6 CT	106
104deb98	107	#if USE_OPENSSL
742236c7 AJ	108	CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
	109	using PrivateKeyPointer = Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref>>;
	110	#elif USE_GNUTLS
	111	using PrivateKeyPointer = std::shared_ptr<struct gnutls_x509_privkey_int>;
	112	#else
	113	using PrivateKeyPointer = std::shared_ptr<void>;
	114	#endif
	115
	116	#if USE_OPENSSL
	117	#if OPENSSL_VERSION_MAJOR < 3
104deb98	118	CtoCpp1(DH_free, DH *);
4103b0c1	119	typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer;
104deb98	120	#else
742236c7 AJ	121	using DhePointer = PrivateKeyPointer;
	122	#endif
	123	#elif USE_GNUTLS
	124	using DhePointer = void *;
	125	#else
	126	using DhePointer = void *;
104deb98 AJ	127	#endif
104deb98 AJ	128
a72b6e88	129	class EncryptorAnswer;
13cd7dee	130
83b053a0	131	/// Squid-defined error code (<0), an error code returned by X.509 API, or zero
13cd7dee AJ	132	typedef int ErrorCode;
13cd7dee AJ	133
83b053a0 CT	134	/// TLS library-reported non-validation error
	135	#if USE_OPENSSL
	136	/// the result of the first ERR_get_error(3SSL) call after a library call;
	137	/// `openssl errstr` expands these numbers into human-friendlier strings like
	138	/// `error:1408F09C:SSL routines:ssl3_get_record:http request`
	139	typedef unsigned long LibErrorCode;
	140	#elif USE_GNUTLS
	141	/// the result of an API function like gnutls_handshake() (e.g.,
	142	/// GNUTLS_E_WARNING_ALERT_RECEIVED)
	143	typedef int LibErrorCode;
	144	#else
	145	/// should always be zero and virtually unused
	146	typedef int LibErrorCode;
	147	#endif
	148
	149	/// converts numeric LibErrorCode into a human-friendlier string
	150	inline const char *ErrorString(const LibErrorCode code) {
ea574635 AJ	151	#if USE_OPENSSL
	152	return ERR_error_string(code, nullptr);
	153	#elif USE_GNUTLS
	154	return gnutls_strerror(code);
	155	#else
8b082ed9	156	(void)code;
ea574635 AJ	157	return "[no TLS library]";
	158	#endif
	159	}
	160
83f8d8f9 AJ	161	/// set of Squid defined TLS error codes
	162	/// \note using std::unordered_set ensures values are unique, with fast lookup
	163	typedef std::unordered_set<Security::ErrorCode> Errors;
	164
86f77270 AJ	165	namespace Io
86f77270 AJ	166	{
ed5f5120	167	enum Type {
c96b5508	168	#if USE_OPENSSL
ed5f5120 SM	169	BIO_TO_CLIENT = 6000,
ed5f5120 SM	170	BIO_TO_SERVER
c96b5508	171	#elif USE_GNUTLS
ed5f5120 SM	172	// NP: this is odd looking but correct.
	173	// 'to-client' means we are a server, and vice versa.
	174	BIO_TO_CLIENT = GNUTLS_SERVER,
	175	BIO_TO_SERVER = GNUTLS_CLIENT
087b94cb	176	#else
ed5f5120 SM	177	BIO_TO_CLIENT = 6000,
ed5f5120 SM	178	BIO_TO_SERVER
087b94cb	179	#endif
ed5f5120	180	};
86f77270 AJ	181
	182	} // namespace Io
	183
83b053a0 CT	184	// TODO: Either move to Security::Io or remove/restrict the Io namespace.
	185	class IoResult;
	186
e227da8d	187	class CommunicationSecrets;
d1d72d43	188	class KeyData;
e227da8d	189	class KeyLog;
353e09d8	190
c96b5508	191	#if USE_OPENSSL
742236c7	192	using ParsedOptions = uint64_t;
c96b5508	193	#elif USE_GNUTLS
c17dcc9a	194	typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions;
353e09d8	195	#else
c96b5508	196	class ParsedOptions {}; // we never parse/use TLS options in this case
353e09d8 AJ	197	#endif
353e09d8 AJ	198
983fab6e	199	/// bitmask representing configured http(s)_port `sslflags`
	200	/// as well tls_outgoing_options `flags`, cache_peer `sslflags`, and
	201	/// icap_service `tls-flags`
	202	typedef long ParsedPortFlags;
	203
a72b6e88	204	class PeerConnector;
2b6b1bcb	205	class BlindPeerConnector;
a72b6e88	206	class PeerOptions;
cf487124	207
a72b6e88	208	class ServerOptions;
d1d72d43	209
83b053a0 CT	210	class ErrorDetail;
	211	typedef RefCount<ErrorDetail> ErrorDetailPointer;
	212
e227da8d AR	213	std::ostream &operator <<(std::ostream &, const KeyLog &);
	214
	215	void OpenLogs(); ///< opens logs enabled in the current configuration
	216	void RotateLogs(); ///< rotates logs opened by OpenLogs()
	217	void CloseLogs(); ///< closes logs opened by OpenLogs()
	218
fcfdf7f9 AJ	219	} // namespace Security
fcfdf7f9 AJ	220
83b053a0 CT	221	/// Squid-specific TLS handling errors (a subset of ErrorCode)
	222	/// These errors either distinguish high-level library calls/contexts or
	223	/// supplement official certificate validation errors to cover special cases.
	224	/// We use negative values, assuming that those official errors are positive.
	225	enum {
	226	SQUID_TLS_ERR_OFFSET = std::numeric_limits<int>::min(),
	227
	228	/* TLS library calls/contexts other than validation (e.g., I/O) */
	229	SQUID_TLS_ERR_ACCEPT, ///< failure to accept a connection from a TLS client
	230	SQUID_TLS_ERR_CONNECT, ///< failure to establish a connection with a TLS server
	231
	232	/* certificate validation problems not covered by official errors */
	233	SQUID_X509_V_ERR_CERT_CHANGE,
	234	SQUID_X509_V_ERR_DOMAIN_MISMATCH,
	235	SQUID_X509_V_ERR_INFINITE_VALIDATION,
	236
	237	SQUID_TLS_ERR_END
	238	};
	239
fcfdf7f9 AJ	240	#endif /* SQUID_SRC_SECURITY_FORWARD_H */
fcfdf7f9 AJ	241