]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/security/forward.h
2 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 #ifndef SQUID_SRC_SECURITY_FORWARD_H
10 #define SQUID_SRC_SECURITY_FORWARD_H
12 #include "base/CbDataList.h"
13 #include "security/Context.h"
14 #include "security/Session.h"
16 #if USE_GNUTLS && HAVE_GNUTLS_X509_H
17 #include <gnutls/x509.h>
20 #if USE_OPENSSL && HAVE_OPENSSL_ERR_H
21 #include <openssl/err.h>
23 #include <unordered_set>
26 // Macro to be used to define the C++ wrapper functor of the sk_*_pop_free
27 // OpenSSL family of functions. The C++ functor is suffixed with the _free_wrapper
29 #define sk_dtor_wrapper(sk_object, argument_type, freefunction) \
30 struct sk_object ## _free_wrapper { \
31 void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \
33 #endif /* USE_OPENSSL */
35 /* flags a SSL connection can be configured with */
36 #define SSL_FLAG_NO_DEFAULT_CA (1<<0)
37 #define SSL_FLAG_DELAYED_AUTH (1<<1)
38 #define SSL_FLAG_DONT_VERIFY_PEER (1<<2)
39 #define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3)
40 #define SSL_FLAG_NO_SESSION_REUSE (1<<4)
41 #define SSL_FLAG_VERIFY_CRL (1<<5)
42 #define SSL_FLAG_VERIFY_CRL_ALL (1<<6)
44 /// Network/connection security abstraction layer
49 /// Holds a list of X.509 certificate errors
50 typedef CbDataList
<Security::CertError
> CertErrors
;
53 CtoCpp1(X509_free
, X509
*)
54 #if defined(CRYPTO_LOCK_X509) // OpenSSL 1.0
55 inline int X509_up_ref(X509
*t
) {if (t
) CRYPTO_add(&t
->references
, 1, CRYPTO_LOCK_X509
); return 0;}
57 typedef Security::LockingPointer
<X509
, X509_free_cpp
, HardFun
<int, X509
*, X509_up_ref
> > CertPointer
;
59 CtoCpp1(gnutls_x509_crt_deinit
, gnutls_x509_crt_t
)
60 typedef Security::LockingPointer
<struct gnutls_x509_crt_int
, gnutls_x509_crt_deinit
> CertPointer
;
62 typedef void * CertPointer
;
66 CtoCpp1(X509_CRL_free
, X509_CRL
*)
67 #if defined(CRYPTO_LOCK_X509_CRL) // OpenSSL 1.0
68 inline int X509_CRL_up_ref(X509_CRL
*t
) {if (t
) CRYPTO_add(&t
->references
, 1, CRYPTO_LOCK_X509_CRL
); return 0;}
70 typedef Security::LockingPointer
<X509_CRL
, X509_CRL_free_cpp
, HardFun
<int, X509_CRL
*, X509_CRL_up_ref
> > CrlPointer
;
72 CtoCpp1(gnutls_x509_crl_deinit
, gnutls_x509_crl_t
)
73 typedef Security::LockingPointer
<struct gnutls_x509_crl_int
, gnutls_x509_crl_deinit
> CrlPointer
;
75 typedef void *CrlPointer
;
78 typedef std::list
<Security::CertPointer
> CertList
;
80 typedef std::list
<Security::CrlPointer
> CertRevokeList
;
83 CtoCpp1(DH_free
, DH
*);
84 #if defined(CRYPTO_LOCK_DH) // OpenSSL 1.0
85 inline int DH_up_ref(DH
*t
) {if (t
) CRYPTO_add(&t
->references
, 1, CRYPTO_LOCK_DH
); return 0;}
87 typedef Security::LockingPointer
<DH
, DH_free_cpp
, HardFun
<int, DH
*, DH_up_ref
> > DhePointer
;
89 typedef void *DhePointer
;
92 class EncryptorAnswer
;
94 /// Squid defined error code (<0), an error code returned by X.509 API, or SSL_ERROR_NONE
95 typedef int ErrorCode
;
97 inline const char *ErrorString(const ErrorCode code
) {
99 return ERR_error_string(code
, nullptr);
101 return gnutls_strerror(code
);
103 return "[no TLS library]";
107 /// set of Squid defined TLS error codes
108 /// \note using std::unordered_set ensures values are unique, with fast lookup
109 typedef std::unordered_set
<Security::ErrorCode
> Errors
;
115 BIO_TO_CLIENT
= 6000,
118 // NP: this is odd looking but correct.
119 // 'to-client' means we are a server, and vice versa.
120 BIO_TO_CLIENT
= GNUTLS_SERVER
,
121 BIO_TO_SERVER
= GNUTLS_CLIENT
123 BIO_TO_CLIENT
= 6000,
133 typedef long ParsedOptions
;
135 typedef std::shared_ptr
<struct gnutls_priority_st
> ParsedOptions
;
137 class ParsedOptions
{}; // we never parse/use TLS options in this case
144 } // namespace Security
146 #endif /* SQUID_SRC_SECURITY_FORWARD_H */