]>
Commit | Line | Data |
---|---|---|
fcfdf7f9 | 1 | /* |
b8ae064d | 2 | * Copyright (C) 1996-2023 The Squid Software Foundation and contributors |
fcfdf7f9 AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
9 | #ifndef SQUID_SRC_SECURITY_FORWARD_H | |
10 | #define SQUID_SRC_SECURITY_FORWARD_H | |
11 | ||
92e3827b | 12 | #include "base/CbDataList.h" |
83b053a0 | 13 | #include "base/forward.h" |
a7b75c64 FC |
14 | #include "base/ToCpp.h" |
15 | #include "security/LockingPointer.h" | |
f97700a0 | 16 | |
51e09c08 AJ |
17 | #if USE_GNUTLS && HAVE_GNUTLS_ABSTRACT_H |
18 | #include <gnutls/abstract.h> | |
f97700a0 | 19 | #endif |
6b19d1f9 | 20 | #include <list> |
83b053a0 | 21 | #include <limits> |
a7b75c64 | 22 | #include <memory> |
24b30fdc EQ |
23 | #if USE_OPENSSL |
24 | #include "compat/openssl.h" | |
25 | #if HAVE_OPENSSL_BN_H | |
26 | #include <openssl/bn.h> | |
27 | #endif | |
28 | #if HAVE_OPENSSL_ERR_H | |
ea574635 AJ |
29 | #include <openssl/err.h> |
30 | #endif | |
24b30fdc EQ |
31 | #if HAVE_OPENSSL_RSA_H |
32 | #include <openssl/rsa.h> | |
33 | #endif | |
a7b75c64 FC |
34 | #if HAVE_OPENSSL_X509_H |
35 | #include <openssl/x509.h> | |
36 | #endif | |
24b30fdc | 37 | #endif /* USE_OPENSSL */ |
83f8d8f9 | 38 | #include <unordered_set> |
fcfdf7f9 | 39 | |
48c7e8cb AJ |
40 | #if USE_OPENSSL |
41 | // Macro to be used to define the C++ wrapper functor of the sk_*_pop_free | |
42 | // OpenSSL family of functions. The C++ functor is suffixed with the _free_wrapper | |
43 | // extension | |
44 | #define sk_dtor_wrapper(sk_object, argument_type, freefunction) \ | |
45 | struct sk_object ## _free_wrapper { \ | |
46 | void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \ | |
47 | } | |
48 | #endif /* USE_OPENSSL */ | |
49 | ||
b24e9ae7 AJ |
50 | /* flags a SSL connection can be configured with */ |
51 | #define SSL_FLAG_NO_DEFAULT_CA (1<<0) | |
52 | #define SSL_FLAG_DELAYED_AUTH (1<<1) | |
53 | #define SSL_FLAG_DONT_VERIFY_PEER (1<<2) | |
54 | #define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3) | |
55 | #define SSL_FLAG_NO_SESSION_REUSE (1<<4) | |
56 | #define SSL_FLAG_VERIFY_CRL (1<<5) | |
57 | #define SSL_FLAG_VERIFY_CRL_ALL (1<<6) | |
983fab6e | 58 | #define SSL_FLAG_CONDITIONAL_AUTH (1<<7) |
b24e9ae7 | 59 | |
907831e6 AR |
60 | #if !USE_OPENSSL && !USE_GNUTLS |
61 | /// A helper type to keep all three possible underlying types of the | |
62 | /// Security::Certificate typedef below inside global namespace, so that | |
63 | /// argument-dependent lookup for operator "<<" (Certificate) works inside | |
64 | /// functions declared in Security and global namespaces. | |
65 | struct notls_x509 {}; | |
66 | #endif | |
67 | ||
fcfdf7f9 AJ |
68 | /// Network/connection security abstraction layer |
69 | namespace Security | |
70 | { | |
71 | ||
92e3827b AJ |
72 | class CertError; |
73 | /// Holds a list of X.509 certificate errors | |
74 | typedef CbDataList<Security::CertError> CertErrors; | |
75 | ||
83b053a0 CT |
76 | #if USE_OPENSSL |
77 | typedef X509 Certificate; | |
78 | #elif USE_GNUTLS | |
79 | typedef struct gnutls_x509_crt_int Certificate; | |
80 | #else | |
907831e6 | 81 | typedef struct notls_x509 Certificate; |
83b053a0 CT |
82 | #endif |
83 | ||
f97700a0 | 84 | #if USE_OPENSSL |
f439fbd2 | 85 | CtoCpp1(X509_free, X509 *); |
4103b0c1 | 86 | typedef Security::LockingPointer<X509, X509_free_cpp, HardFun<int, X509 *, X509_up_ref> > CertPointer; |
f97700a0 | 87 | #elif USE_GNUTLS |
51e09c08 | 88 | typedef std::shared_ptr<struct gnutls_x509_crt_int> CertPointer; |
f97700a0 | 89 | #else |
83b053a0 | 90 | typedef std::shared_ptr<Certificate> CertPointer; |
f97700a0 AJ |
91 | #endif |
92 | ||
6b19d1f9 | 93 | #if USE_OPENSSL |
f439fbd2 | 94 | CtoCpp1(X509_CRL_free, X509_CRL *); |
4103b0c1 | 95 | typedef Security::LockingPointer<X509_CRL, X509_CRL_free_cpp, HardFun<int, X509_CRL *, X509_CRL_up_ref> > CrlPointer; |
6b19d1f9 | 96 | #elif USE_GNUTLS |
f439fbd2 | 97 | CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t); |
4103b0c1 | 98 | typedef Security::LockingPointer<struct gnutls_x509_crl_int, gnutls_x509_crl_deinit> CrlPointer; |
6b19d1f9 AJ |
99 | #else |
100 | typedef void *CrlPointer; | |
101 | #endif | |
102 | ||
a34d1d2d CT |
103 | typedef std::list<Security::CertPointer> CertList; |
104 | ||
4b5ea8a6 CT |
105 | typedef std::list<Security::CrlPointer> CertRevokeList; |
106 | ||
104deb98 | 107 | #if USE_OPENSSL |
742236c7 AJ |
108 | CtoCpp1(EVP_PKEY_free, EVP_PKEY *) |
109 | using PrivateKeyPointer = Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref>>; | |
110 | #elif USE_GNUTLS | |
111 | using PrivateKeyPointer = std::shared_ptr<struct gnutls_x509_privkey_int>; | |
112 | #else | |
113 | using PrivateKeyPointer = std::shared_ptr<void>; | |
114 | #endif | |
115 | ||
116 | #if USE_OPENSSL | |
117 | #if OPENSSL_VERSION_MAJOR < 3 | |
104deb98 | 118 | CtoCpp1(DH_free, DH *); |
4103b0c1 | 119 | typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer; |
104deb98 | 120 | #else |
742236c7 AJ |
121 | using DhePointer = PrivateKeyPointer; |
122 | #endif | |
123 | #elif USE_GNUTLS | |
124 | using DhePointer = void *; | |
125 | #else | |
126 | using DhePointer = void *; | |
104deb98 AJ |
127 | #endif |
128 | ||
a72b6e88 | 129 | class EncryptorAnswer; |
13cd7dee | 130 | |
83b053a0 | 131 | /// Squid-defined error code (<0), an error code returned by X.509 API, or zero |
13cd7dee AJ |
132 | typedef int ErrorCode; |
133 | ||
83b053a0 CT |
134 | /// TLS library-reported non-validation error |
135 | #if USE_OPENSSL | |
136 | /// the result of the first ERR_get_error(3SSL) call after a library call; | |
137 | /// `openssl errstr` expands these numbers into human-friendlier strings like | |
138 | /// `error:1408F09C:SSL routines:ssl3_get_record:http request` | |
139 | typedef unsigned long LibErrorCode; | |
140 | #elif USE_GNUTLS | |
141 | /// the result of an API function like gnutls_handshake() (e.g., | |
142 | /// GNUTLS_E_WARNING_ALERT_RECEIVED) | |
143 | typedef int LibErrorCode; | |
144 | #else | |
145 | /// should always be zero and virtually unused | |
146 | typedef int LibErrorCode; | |
147 | #endif | |
148 | ||
149 | /// converts numeric LibErrorCode into a human-friendlier string | |
150 | inline const char *ErrorString(const LibErrorCode code) { | |
ea574635 AJ |
151 | #if USE_OPENSSL |
152 | return ERR_error_string(code, nullptr); | |
153 | #elif USE_GNUTLS | |
154 | return gnutls_strerror(code); | |
155 | #else | |
8b082ed9 | 156 | (void)code; |
ea574635 AJ |
157 | return "[no TLS library]"; |
158 | #endif | |
159 | } | |
160 | ||
83f8d8f9 AJ |
161 | /// set of Squid defined TLS error codes |
162 | /// \note using std::unordered_set ensures values are unique, with fast lookup | |
163 | typedef std::unordered_set<Security::ErrorCode> Errors; | |
164 | ||
86f77270 AJ |
165 | namespace Io |
166 | { | |
ed5f5120 | 167 | enum Type { |
c96b5508 | 168 | #if USE_OPENSSL |
ed5f5120 SM |
169 | BIO_TO_CLIENT = 6000, |
170 | BIO_TO_SERVER | |
c96b5508 | 171 | #elif USE_GNUTLS |
ed5f5120 SM |
172 | // NP: this is odd looking but correct. |
173 | // 'to-client' means we are a server, and vice versa. | |
174 | BIO_TO_CLIENT = GNUTLS_SERVER, | |
175 | BIO_TO_SERVER = GNUTLS_CLIENT | |
087b94cb | 176 | #else |
ed5f5120 SM |
177 | BIO_TO_CLIENT = 6000, |
178 | BIO_TO_SERVER | |
087b94cb | 179 | #endif |
ed5f5120 | 180 | }; |
86f77270 AJ |
181 | |
182 | } // namespace Io | |
183 | ||
83b053a0 CT |
184 | // TODO: Either move to Security::Io or remove/restrict the Io namespace. |
185 | class IoResult; | |
186 | ||
e227da8d | 187 | class CommunicationSecrets; |
d1d72d43 | 188 | class KeyData; |
e227da8d | 189 | class KeyLog; |
353e09d8 | 190 | |
c96b5508 | 191 | #if USE_OPENSSL |
742236c7 | 192 | using ParsedOptions = uint64_t; |
c96b5508 | 193 | #elif USE_GNUTLS |
c17dcc9a | 194 | typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions; |
353e09d8 | 195 | #else |
c96b5508 | 196 | class ParsedOptions {}; // we never parse/use TLS options in this case |
353e09d8 AJ |
197 | #endif |
198 | ||
983fab6e | 199 | /// bitmask representing configured http(s)_port `sslflags` |
200 | /// as well tls_outgoing_options `flags`, cache_peer `sslflags`, and | |
201 | /// icap_service `tls-flags` | |
202 | typedef long ParsedPortFlags; | |
203 | ||
a72b6e88 | 204 | class PeerConnector; |
2b6b1bcb | 205 | class BlindPeerConnector; |
a72b6e88 | 206 | class PeerOptions; |
cf487124 | 207 | |
a72b6e88 | 208 | class ServerOptions; |
d1d72d43 | 209 | |
83b053a0 CT |
210 | class ErrorDetail; |
211 | typedef RefCount<ErrorDetail> ErrorDetailPointer; | |
212 | ||
e227da8d AR |
213 | std::ostream &operator <<(std::ostream &, const KeyLog &); |
214 | ||
215 | void OpenLogs(); ///< opens logs enabled in the current configuration | |
216 | void RotateLogs(); ///< rotates logs opened by OpenLogs() | |
217 | void CloseLogs(); ///< closes logs opened by OpenLogs() | |
218 | ||
fcfdf7f9 AJ |
219 | } // namespace Security |
220 | ||
83b053a0 CT |
221 | /// Squid-specific TLS handling errors (a subset of ErrorCode) |
222 | /// These errors either distinguish high-level library calls/contexts or | |
223 | /// supplement official certificate validation errors to cover special cases. | |
224 | /// We use negative values, assuming that those official errors are positive. | |
225 | enum { | |
226 | SQUID_TLS_ERR_OFFSET = std::numeric_limits<int>::min(), | |
227 | ||
228 | /* TLS library calls/contexts other than validation (e.g., I/O) */ | |
229 | SQUID_TLS_ERR_ACCEPT, ///< failure to accept a connection from a TLS client | |
230 | SQUID_TLS_ERR_CONNECT, ///< failure to establish a connection with a TLS server | |
231 | ||
232 | /* certificate validation problems not covered by official errors */ | |
233 | SQUID_X509_V_ERR_CERT_CHANGE, | |
234 | SQUID_X509_V_ERR_DOMAIN_MISMATCH, | |
235 | SQUID_X509_V_ERR_INFINITE_VALIDATION, | |
236 | ||
237 | SQUID_TLS_ERR_END | |
238 | }; | |
239 | ||
fcfdf7f9 AJ |
240 | #endif /* SQUID_SRC_SECURITY_FORWARD_H */ |
241 |