[thirdparty/squid.git] / src / security / forward.h

/*
 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#ifndef SQUID_SRC_SECURITY_FORWARD_H
#define SQUID_SRC_SECURITY_FORWARD_H

#include "base/CbDataList.h"
#include "base/forward.h"
#include "base/ToCpp.h"
#include "security/LockingPointer.h"

#if HAVE_LIBGNUTLS
#if HAVE_GNUTLS_ABSTRACT_H
#include <gnutls/abstract.h>
#endif
#endif /* HAVE_LIBGNUTLS */
#include <list>
#include <limits>
#include <memory>
#if USE_OPENSSL
#include "compat/openssl.h"
#if HAVE_OPENSSL_BN_H
#include <openssl/bn.h>
#endif
#if HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
#endif
#if HAVE_OPENSSL_RSA_H
#include <openssl/rsa.h>
#endif
#if HAVE_OPENSSL_X509_H
#include <openssl/x509.h>
#endif
#endif /* USE_OPENSSL */
#include <unordered_set>

#if USE_OPENSSL
// Macro to be used to define the C++ wrapper functor of the sk_*_pop_free
// OpenSSL family of functions. The C++ functor is suffixed with the _free_wrapper
// extension
#define sk_dtor_wrapper(sk_object, argument_type, freefunction) \
        struct sk_object ## _free_wrapper { \
            void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \
        }
#endif /* USE_OPENSSL */

/* flags a SSL connection can be configured with */
#define SSL_FLAG_NO_DEFAULT_CA      (1<<0)
#define SSL_FLAG_DELAYED_AUTH       (1<<1)
#define SSL_FLAG_DONT_VERIFY_PEER   (1<<2)
#define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3)
#define SSL_FLAG_NO_SESSION_REUSE   (1<<4)
#define SSL_FLAG_VERIFY_CRL         (1<<5)
#define SSL_FLAG_VERIFY_CRL_ALL     (1<<6)
#define SSL_FLAG_CONDITIONAL_AUTH   (1<<7)

#if !USE_OPENSSL && !HAVE_LIBGNUTLS
/// A helper type to keep all three possible underlying types of the
/// Security::Certificate typedef below inside global namespace, so that
/// argument-dependent lookup for operator "<<" (Certificate) works inside
/// functions declared in Security and global namespaces.
struct notls_x509 {};
#endif

/// Network/connection security abstraction layer
namespace Security
{

class CertError;
/// Holds a list of X.509 certificate errors
typedef CbDataList<Security::CertError> CertErrors;

#if USE_OPENSSL
typedef X509 Certificate;
#elif HAVE_LIBGNUTLS
typedef struct gnutls_x509_crt_int Certificate;
#else
typedef struct notls_x509 Certificate;
#endif

#if USE_OPENSSL
CtoCpp1(X509_free, X509 *);
typedef Security::LockingPointer<X509, X509_free_cpp, HardFun<int, X509 *, X509_up_ref> > CertPointer;
#elif HAVE_LIBGNUTLS
typedef std::shared_ptr<struct gnutls_x509_crt_int> CertPointer;
#else
typedef std::shared_ptr<Certificate> CertPointer;
#endif

#if USE_OPENSSL
CtoCpp1(X509_CRL_free, X509_CRL *);
typedef Security::LockingPointer<X509_CRL, X509_CRL_free_cpp, HardFun<int, X509_CRL *, X509_CRL_up_ref> > CrlPointer;
#elif HAVE_LIBGNUTLS
CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t);
typedef Security::LockingPointer<struct gnutls_x509_crl_int, gnutls_x509_crl_deinit> CrlPointer;
#else
typedef void *CrlPointer;
#endif

typedef std::list<Security::CertPointer> CertList;

typedef std::list<Security::CrlPointer> CertRevokeList;

#if USE_OPENSSL
CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
using PrivateKeyPointer = Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref>>;
#elif HAVE_LIBGNUTLS
using PrivateKeyPointer = std::shared_ptr<struct gnutls_x509_privkey_int>;
#else
using PrivateKeyPointer = std::shared_ptr<void>;
#endif

#if USE_OPENSSL
#if OPENSSL_VERSION_MAJOR < 3
CtoCpp1(DH_free, DH *);
typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer;
#else
using DhePointer = PrivateKeyPointer;
#endif
#elif HAVE_LIBGNUTLS
using DhePointer = void *;
#else
using DhePointer = void *;
#endif

class EncryptorAnswer;

/// Squid-defined error code (<0), an error code returned by X.509 API, or zero
typedef int ErrorCode;

/// TLS library-reported non-validation error
#if USE_OPENSSL
/// the result of the first ERR_get_error(3SSL) call after a library call;
/// `openssl errstr` expands these numbers into human-friendlier strings like
/// `error:1408F09C:SSL routines:ssl3_get_record:http request`
typedef unsigned long LibErrorCode;
#elif HAVE_LIBGNUTLS
/// the result of an API function like gnutls_handshake() (e.g.,
/// GNUTLS_E_WARNING_ALERT_RECEIVED)
typedef int LibErrorCode;
#else
/// should always be zero and virtually unused
typedef int LibErrorCode;
#endif

/// converts numeric LibErrorCode into a human-friendlier string
inline const char *ErrorString(const LibErrorCode code) {
#if USE_OPENSSL
    return ERR_error_string(code, nullptr);
#elif HAVE_LIBGNUTLS
    return gnutls_strerror(code);
#else
    (void)code;
    return "[no TLS library]";
#endif
}

/// set of Squid defined TLS error codes
/// \note using std::unordered_set ensures values are unique, with fast lookup
typedef std::unordered_set<Security::ErrorCode> Errors;

namespace Io
{
enum Type {
#if USE_OPENSSL
    BIO_TO_CLIENT = 6000,
    BIO_TO_SERVER
#elif HAVE_LIBGNUTLS
    // NP: this is odd looking but correct.
    // 'to-client' means we are a server, and vice versa.
    BIO_TO_CLIENT = GNUTLS_SERVER,
    BIO_TO_SERVER = GNUTLS_CLIENT
#else
    BIO_TO_CLIENT = 6000,
    BIO_TO_SERVER
#endif
};

} // namespace Io

// TODO: Either move to Security::Io or remove/restrict the Io namespace.
class IoResult;

class CommunicationSecrets;
class KeyData;
class KeyLog;

#if USE_OPENSSL
using ParsedOptions = uint64_t;
#elif HAVE_LIBGNUTLS
typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions;
#else
class ParsedOptions {}; // we never parse/use TLS options in this case
#endif

/// bitmask representing configured http(s)_port `sslflags`
/// as well tls_outgoing_options `flags`, cache_peer `sslflags`, and
/// icap_service `tls-flags`
typedef long ParsedPortFlags;

class PeerConnector;
class BlindPeerConnector;
class PeerOptions;

class ServerOptions;

class FuturePeerContext;

class ErrorDetail;
typedef RefCount<ErrorDetail> ErrorDetailPointer;

std::ostream &operator <<(std::ostream &, const KeyLog &);

void OpenLogs(); ///< opens logs enabled in the current configuration
void RotateLogs(); ///< rotates logs opened by OpenLogs()
void CloseLogs(); ///< closes logs opened by OpenLogs()

} // namespace Security

/// Squid-specific TLS handling errors (a subset of ErrorCode)
/// These errors either distinguish high-level library calls/contexts or
/// supplement official certificate validation errors to cover special cases.
/// We use negative values, assuming that those official errors are positive.
enum {
    SQUID_TLS_ERR_OFFSET = std::numeric_limits<int>::min(),

    /* TLS library calls/contexts other than validation (e.g., I/O) */
    SQUID_TLS_ERR_ACCEPT, ///< failure to accept a connection from a TLS client
    SQUID_TLS_ERR_CONNECT, ///< failure to establish a connection with a TLS server

    /* certificate validation problems not covered by official errors */
    SQUID_X509_V_ERR_CERT_CHANGE,
    SQUID_X509_V_ERR_DOMAIN_MISMATCH,
    SQUID_X509_V_ERR_INFINITE_VALIDATION,

    SQUID_TLS_ERR_END
};

#endif /* SQUID_SRC_SECURITY_FORWARD_H */
Commit	Line	Data
fcfdf7f9	1	/*
1f7b830e	2	* Copyright (C) 1996-2025 The Squid Software Foundation and contributors
fcfdf7f9 AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
	9	#ifndef SQUID_SRC_SECURITY_FORWARD_H
	10	#define SQUID_SRC_SECURITY_FORWARD_H
	11
92e3827b	12	#include "base/CbDataList.h"
83b053a0	13	#include "base/forward.h"
a7b75c64 FC	14	#include "base/ToCpp.h"
a7b75c64 FC	15	#include "security/LockingPointer.h"
f97700a0	16
c813943d AJ	17	#if HAVE_LIBGNUTLS
c813943d AJ	18	#if HAVE_GNUTLS_ABSTRACT_H
51e09c08	19	#include <gnutls/abstract.h>
f97700a0	20	#endif
c813943d	21	#endif /* HAVE_LIBGNUTLS */
6b19d1f9	22	#include <list>
83b053a0	23	#include <limits>
a7b75c64	24	#include <memory>
24b30fdc EQ	25	#if USE_OPENSSL
	26	#include "compat/openssl.h"
	27	#if HAVE_OPENSSL_BN_H
	28	#include <openssl/bn.h>
	29	#endif
	30	#if HAVE_OPENSSL_ERR_H
ea574635 AJ	31	#include <openssl/err.h>
ea574635 AJ	32	#endif
24b30fdc EQ	33	#if HAVE_OPENSSL_RSA_H
	34	#include <openssl/rsa.h>
	35	#endif
a7b75c64 FC	36	#if HAVE_OPENSSL_X509_H
	37	#include <openssl/x509.h>
	38	#endif
24b30fdc	39	#endif /* USE_OPENSSL */
83f8d8f9	40	#include <unordered_set>
fcfdf7f9	41
48c7e8cb AJ	42	#if USE_OPENSSL
	43	// Macro to be used to define the C++ wrapper functor of the sk_*_pop_free
	44	// OpenSSL family of functions. The C++ functor is suffixed with the _free_wrapper
	45	// extension
	46	#define sk_dtor_wrapper(sk_object, argument_type, freefunction) \
	47	struct sk_object ## _free_wrapper { \
	48	void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \
	49	}
	50	#endif /* USE_OPENSSL */
	51
b24e9ae7 AJ	52	/* flags a SSL connection can be configured with */
	53	#define SSL_FLAG_NO_DEFAULT_CA (1<<0)
	54	#define SSL_FLAG_DELAYED_AUTH (1<<1)
	55	#define SSL_FLAG_DONT_VERIFY_PEER (1<<2)
	56	#define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3)
	57	#define SSL_FLAG_NO_SESSION_REUSE (1<<4)
	58	#define SSL_FLAG_VERIFY_CRL (1<<5)
	59	#define SSL_FLAG_VERIFY_CRL_ALL (1<<6)
983fab6e	60	#define SSL_FLAG_CONDITIONAL_AUTH (1<<7)
b24e9ae7	61
c813943d	62	#if !USE_OPENSSL && !HAVE_LIBGNUTLS
907831e6 AR	63	/// A helper type to keep all three possible underlying types of the
	64	/// Security::Certificate typedef below inside global namespace, so that
	65	/// argument-dependent lookup for operator "<<" (Certificate) works inside
	66	/// functions declared in Security and global namespaces.
	67	struct notls_x509 {};
	68	#endif
	69
fcfdf7f9 AJ	70	/// Network/connection security abstraction layer
	71	namespace Security
	72	{
	73
92e3827b AJ	74	class CertError;
	75	/// Holds a list of X.509 certificate errors
	76	typedef CbDataList<Security::CertError> CertErrors;
	77
83b053a0 CT	78	#if USE_OPENSSL
83b053a0 CT	79	typedef X509 Certificate;
c813943d	80	#elif HAVE_LIBGNUTLS
83b053a0 CT	81	typedef struct gnutls_x509_crt_int Certificate;
83b053a0 CT	82	#else
907831e6	83	typedef struct notls_x509 Certificate;
83b053a0 CT	84	#endif
83b053a0 CT	85
f97700a0	86	#if USE_OPENSSL
f439fbd2	87	CtoCpp1(X509_free, X509 *);
4103b0c1	88	typedef Security::LockingPointer<X509, X509_free_cpp, HardFun<int, X509 *, X509_up_ref> > CertPointer;
c813943d	89	#elif HAVE_LIBGNUTLS
51e09c08	90	typedef std::shared_ptr<struct gnutls_x509_crt_int> CertPointer;
f97700a0	91	#else
83b053a0	92	typedef std::shared_ptr<Certificate> CertPointer;
f97700a0 AJ	93	#endif
f97700a0 AJ	94
6b19d1f9	95	#if USE_OPENSSL
f439fbd2	96	CtoCpp1(X509_CRL_free, X509_CRL *);
4103b0c1	97	typedef Security::LockingPointer<X509_CRL, X509_CRL_free_cpp, HardFun<int, X509_CRL *, X509_CRL_up_ref> > CrlPointer;
c813943d	98	#elif HAVE_LIBGNUTLS
f439fbd2	99	CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t);
4103b0c1	100	typedef Security::LockingPointer<struct gnutls_x509_crl_int, gnutls_x509_crl_deinit> CrlPointer;
6b19d1f9 AJ	101	#else
	102	typedef void *CrlPointer;
	103	#endif
	104
a34d1d2d CT	105	typedef std::list<Security::CertPointer> CertList;
a34d1d2d CT	106
4b5ea8a6 CT	107	typedef std::list<Security::CrlPointer> CertRevokeList;
4b5ea8a6 CT	108
104deb98	109	#if USE_OPENSSL
742236c7 AJ	110	CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
742236c7 AJ	111	using PrivateKeyPointer = Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref>>;
c813943d	112	#elif HAVE_LIBGNUTLS
742236c7 AJ	113	using PrivateKeyPointer = std::shared_ptr<struct gnutls_x509_privkey_int>;
	114	#else
	115	using PrivateKeyPointer = std::shared_ptr<void>;
	116	#endif
	117
	118	#if USE_OPENSSL
	119	#if OPENSSL_VERSION_MAJOR < 3
104deb98	120	CtoCpp1(DH_free, DH *);
4103b0c1	121	typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer;
104deb98	122	#else
742236c7 AJ	123	using DhePointer = PrivateKeyPointer;
742236c7 AJ	124	#endif
c813943d	125	#elif HAVE_LIBGNUTLS
742236c7 AJ	126	using DhePointer = void *;
	127	#else
	128	using DhePointer = void *;
104deb98 AJ	129	#endif
104deb98 AJ	130
a72b6e88	131	class EncryptorAnswer;
13cd7dee	132
83b053a0	133	/// Squid-defined error code (<0), an error code returned by X.509 API, or zero
13cd7dee AJ	134	typedef int ErrorCode;
13cd7dee AJ	135
83b053a0 CT	136	/// TLS library-reported non-validation error
	137	#if USE_OPENSSL
	138	/// the result of the first ERR_get_error(3SSL) call after a library call;
	139	/// `openssl errstr` expands these numbers into human-friendlier strings like
	140	/// `error:1408F09C:SSL routines:ssl3_get_record:http request`
	141	typedef unsigned long LibErrorCode;
c813943d	142	#elif HAVE_LIBGNUTLS
83b053a0 CT	143	/// the result of an API function like gnutls_handshake() (e.g.,
	144	/// GNUTLS_E_WARNING_ALERT_RECEIVED)
	145	typedef int LibErrorCode;
	146	#else
	147	/// should always be zero and virtually unused
	148	typedef int LibErrorCode;
	149	#endif
	150
	151	/// converts numeric LibErrorCode into a human-friendlier string
	152	inline const char *ErrorString(const LibErrorCode code) {
ea574635 AJ	153	#if USE_OPENSSL
ea574635 AJ	154	return ERR_error_string(code, nullptr);
c813943d	155	#elif HAVE_LIBGNUTLS
ea574635 AJ	156	return gnutls_strerror(code);
ea574635 AJ	157	#else
8b082ed9	158	(void)code;
ea574635 AJ	159	return "[no TLS library]";
	160	#endif
	161	}
	162
83f8d8f9 AJ	163	/// set of Squid defined TLS error codes
	164	/// \note using std::unordered_set ensures values are unique, with fast lookup
	165	typedef std::unordered_set<Security::ErrorCode> Errors;
	166
86f77270 AJ	167	namespace Io
86f77270 AJ	168	{
ed5f5120	169	enum Type {
c96b5508	170	#if USE_OPENSSL
ed5f5120 SM	171	BIO_TO_CLIENT = 6000,
ed5f5120 SM	172	BIO_TO_SERVER
c813943d	173	#elif HAVE_LIBGNUTLS
ed5f5120 SM	174	// NP: this is odd looking but correct.
	175	// 'to-client' means we are a server, and vice versa.
	176	BIO_TO_CLIENT = GNUTLS_SERVER,
	177	BIO_TO_SERVER = GNUTLS_CLIENT
087b94cb	178	#else
ed5f5120 SM	179	BIO_TO_CLIENT = 6000,
ed5f5120 SM	180	BIO_TO_SERVER
087b94cb	181	#endif
ed5f5120	182	};
86f77270 AJ	183
	184	} // namespace Io
	185
83b053a0 CT	186	// TODO: Either move to Security::Io or remove/restrict the Io namespace.
	187	class IoResult;
	188
e227da8d	189	class CommunicationSecrets;
d1d72d43	190	class KeyData;
e227da8d	191	class KeyLog;
353e09d8	192
c96b5508	193	#if USE_OPENSSL
742236c7	194	using ParsedOptions = uint64_t;
c813943d	195	#elif HAVE_LIBGNUTLS
c17dcc9a	196	typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions;
353e09d8	197	#else
c96b5508	198	class ParsedOptions {}; // we never parse/use TLS options in this case
353e09d8 AJ	199	#endif
353e09d8 AJ	200
983fab6e	201	/// bitmask representing configured http(s)_port `sslflags`
	202	/// as well tls_outgoing_options `flags`, cache_peer `sslflags`, and
	203	/// icap_service `tls-flags`
	204	typedef long ParsedPortFlags;
	205
a72b6e88	206	class PeerConnector;
2b6b1bcb	207	class BlindPeerConnector;
a72b6e88	208	class PeerOptions;
cf487124	209
a72b6e88	210	class ServerOptions;
d1d72d43	211
908634e8 AR	212	class FuturePeerContext;
908634e8 AR	213
83b053a0 CT	214	class ErrorDetail;
	215	typedef RefCount<ErrorDetail> ErrorDetailPointer;
	216
e227da8d AR	217	std::ostream &operator <<(std::ostream &, const KeyLog &);
	218
	219	void OpenLogs(); ///< opens logs enabled in the current configuration
	220	void RotateLogs(); ///< rotates logs opened by OpenLogs()
	221	void CloseLogs(); ///< closes logs opened by OpenLogs()
	222
fcfdf7f9 AJ	223	} // namespace Security
fcfdf7f9 AJ	224
83b053a0 CT	225	/// Squid-specific TLS handling errors (a subset of ErrorCode)
	226	/// These errors either distinguish high-level library calls/contexts or
	227	/// supplement official certificate validation errors to cover special cases.
	228	/// We use negative values, assuming that those official errors are positive.
	229	enum {
	230	SQUID_TLS_ERR_OFFSET = std::numeric_limits<int>::min(),
	231
	232	/* TLS library calls/contexts other than validation (e.g., I/O) */
	233	SQUID_TLS_ERR_ACCEPT, ///< failure to accept a connection from a TLS client
	234	SQUID_TLS_ERR_CONNECT, ///< failure to establish a connection with a TLS server
	235
	236	/* certificate validation problems not covered by official errors */
	237	SQUID_X509_V_ERR_CERT_CHANGE,
	238	SQUID_X509_V_ERR_DOMAIN_MISMATCH,
	239	SQUID_X509_V_ERR_INFINITE_VALIDATION,
	240
	241	SQUID_TLS_ERR_END
	242	};
	243
fcfdf7f9 AJ	244	#endif /* SQUID_SRC_SECURITY_FORWARD_H */
fcfdf7f9 AJ	245