src/security/forward.h

   1 /*
   2  * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 #ifndef SQUID_SRC_SECURITY_FORWARD_H
  10 #define SQUID_SRC_SECURITY_FORWARD_H
  11
  12 #include "base/CbDataList.h"
  13 #include "security/Context.h"
  14 #include "security/Session.h"
  15
  16 #if USE_GNUTLS && HAVE_GNUTLS_ABSTRACT_H
  17 #include <gnutls/abstract.h>
  18 #endif
  19 #include <list>
  20 #if USE_OPENSSL
  21 #include "compat/openssl.h"
  22 #if HAVE_OPENSSL_BN_H
  23 #include <openssl/bn.h>
  24 #endif
  25 #if HAVE_OPENSSL_ERR_H
  26 #include <openssl/err.h>
  27 #endif
  28 #if HAVE_OPENSSL_RSA_H
  29 #include <openssl/rsa.h>
  30 #endif
  31 #endif /* USE_OPENSSL */
  32 #include <unordered_set>
  33
  34 #if USE_OPENSSL
  35 // Macro to be used to define the C++ wrapper functor of the sk_*_pop_free
  36 // OpenSSL family of functions. The C++ functor is suffixed with the _free_wrapper
  37 // extension
  38 #define sk_dtor_wrapper(sk_object, argument_type, freefunction) \
  39         struct sk_object ## _free_wrapper { \
  40             void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \
  41         }
  42 #endif /* USE_OPENSSL */
  43
  44 /* flags a SSL connection can be configured with */
  45 #define SSL_FLAG_NO_DEFAULT_CA      (1<<0)
  46 #define SSL_FLAG_DELAYED_AUTH       (1<<1)
  47 #define SSL_FLAG_DONT_VERIFY_PEER   (1<<2)
  48 #define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3)
  49 #define SSL_FLAG_NO_SESSION_REUSE   (1<<4)
  50 #define SSL_FLAG_VERIFY_CRL         (1<<5)
  51 #define SSL_FLAG_VERIFY_CRL_ALL     (1<<6)
  52 #define SSL_FLAG_CONDITIONAL_AUTH   (1<<7)
  53
  54 /// Network/connection security abstraction layer
  55 namespace Security
  56 {
  57
  58 class CertError;
  59 /// Holds a list of X.509 certificate errors
  60 typedef CbDataList<Security::CertError> CertErrors;
  61
  62 #if USE_OPENSSL
  63 CtoCpp1(X509_free, X509 *);
  64 typedef Security::LockingPointer<X509, X509_free_cpp, HardFun<int, X509 *, X509_up_ref> > CertPointer;
  65 #elif USE_GNUTLS
  66 typedef std::shared_ptr<struct gnutls_x509_crt_int> CertPointer;
  67 #else
  68 typedef std::shared_ptr<void> CertPointer;
  69 #endif
  70
  71 #if USE_OPENSSL
  72 CtoCpp1(X509_CRL_free, X509_CRL *);
  73 typedef Security::LockingPointer<X509_CRL, X509_CRL_free_cpp, HardFun<int, X509_CRL *, X509_CRL_up_ref> > CrlPointer;
  74 #elif USE_GNUTLS
  75 CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t);
  76 typedef Security::LockingPointer<struct gnutls_x509_crl_int, gnutls_x509_crl_deinit> CrlPointer;
  77 #else
  78 typedef void *CrlPointer;
  79 #endif
  80
  81 typedef std::list<Security::CertPointer> CertList;
  82
  83 typedef std::list<Security::CrlPointer> CertRevokeList;
  84
  85 #if USE_OPENSSL
  86 CtoCpp1(DH_free, DH *);
  87 typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer;
  88 #else
  89 typedef void *DhePointer;
  90 #endif
  91
  92 class EncryptorAnswer;
  93
  94 /// Squid defined error code (<0), an error code returned by X.509 API, or SSL_ERROR_NONE
  95 typedef int ErrorCode;
  96
  97 inline const char *ErrorString(const ErrorCode code) {
  98 #if USE_OPENSSL
  99     return ERR_error_string(code, nullptr);
 100 #elif USE_GNUTLS
 101     return gnutls_strerror(code);
 102 #else
 103     return "[no TLS library]";
 104 #endif
 105 }
 106
 107 /// set of Squid defined TLS error codes
 108 /// \note using std::unordered_set ensures values are unique, with fast lookup
 109 typedef std::unordered_set<Security::ErrorCode> Errors;
 110
 111 namespace Io
 112 {
 113 enum Type {
 114 #if USE_OPENSSL
 115     BIO_TO_CLIENT = 6000,
 116     BIO_TO_SERVER
 117 #elif USE_GNUTLS
 118     // NP: this is odd looking but correct.
 119     // 'to-client' means we are a server, and vice versa.
 120     BIO_TO_CLIENT = GNUTLS_SERVER,
 121     BIO_TO_SERVER = GNUTLS_CLIENT
 122 #else
 123     BIO_TO_CLIENT = 6000,
 124     BIO_TO_SERVER
 125 #endif
 126 };
 127
 128 } // namespace Io
 129
 130 class KeyData;
 131
 132 #if USE_OPENSSL
 133 typedef long ParsedOptions;
 134 #elif USE_GNUTLS
 135 typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions;
 136 #else
 137 class ParsedOptions {}; // we never parse/use TLS options in this case
 138 #endif
 139
 140 /// bitmask representing configured http(s)_port `sslflags`
 141 /// as well tls_outgoing_options `flags`, cache_peer `sslflags`, and
 142 /// icap_service `tls-flags`
 143 typedef long ParsedPortFlags;
 144
 145 class PeerConnector;
 146 class PeerOptions;
 147
 148 #if USE_OPENSSL
 149 CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
 150 typedef Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref> > PrivateKeyPointer;
 151 #elif USE_GNUTLS
 152 typedef std::shared_ptr<struct gnutls_x509_privkey_int> PrivateKeyPointer;
 153 #else
 154 typedef std::shared_ptr<void> PrivateKeyPointer;
 155 #endif
 156
 157 class ServerOptions;
 158
 159 } // namespace Security
 160
 161 #endif /* SQUID_SRC_SECURITY_FORWARD_H */
 162