]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/security/forward.h
2 * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 #ifndef SQUID_SRC_SECURITY_FORWARD_H
10 #define SQUID_SRC_SECURITY_FORWARD_H
12 #include "base/CbDataList.h"
13 #include "security/Context.h"
14 #include "security/Session.h"
16 #if USE_GNUTLS && HAVE_GNUTLS_ABSTRACT_H
17 #include <gnutls/abstract.h>
21 #include "compat/openssl.h"
23 #include <openssl/bn.h>
25 #if HAVE_OPENSSL_ERR_H
26 #include <openssl/err.h>
28 #if HAVE_OPENSSL_RSA_H
29 #include <openssl/rsa.h>
31 #endif /* USE_OPENSSL */
32 #include <unordered_set>
35 // Macro to be used to define the C++ wrapper functor of the sk_*_pop_free
36 // OpenSSL family of functions. The C++ functor is suffixed with the _free_wrapper
38 #define sk_dtor_wrapper(sk_object, argument_type, freefunction) \
39 struct sk_object ## _free_wrapper { \
40 void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \
42 #endif /* USE_OPENSSL */
44 /* flags a SSL connection can be configured with */
45 #define SSL_FLAG_NO_DEFAULT_CA (1<<0)
46 #define SSL_FLAG_DELAYED_AUTH (1<<1)
47 #define SSL_FLAG_DONT_VERIFY_PEER (1<<2)
48 #define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3)
49 #define SSL_FLAG_NO_SESSION_REUSE (1<<4)
50 #define SSL_FLAG_VERIFY_CRL (1<<5)
51 #define SSL_FLAG_VERIFY_CRL_ALL (1<<6)
52 #define SSL_FLAG_CONDITIONAL_AUTH (1<<7)
54 /// Network/connection security abstraction layer
59 /// Holds a list of X.509 certificate errors
60 typedef CbDataList
<Security::CertError
> CertErrors
;
63 CtoCpp1(X509_free
, X509
*);
64 typedef Security::LockingPointer
<X509
, X509_free_cpp
, HardFun
<int, X509
*, X509_up_ref
> > CertPointer
;
66 typedef std::shared_ptr
<struct gnutls_x509_crt_int
> CertPointer
;
68 typedef std::shared_ptr
<void> CertPointer
;
72 CtoCpp1(X509_CRL_free
, X509_CRL
*);
73 typedef Security::LockingPointer
<X509_CRL
, X509_CRL_free_cpp
, HardFun
<int, X509_CRL
*, X509_CRL_up_ref
> > CrlPointer
;
75 CtoCpp1(gnutls_x509_crl_deinit
, gnutls_x509_crl_t
);
76 typedef Security::LockingPointer
<struct gnutls_x509_crl_int
, gnutls_x509_crl_deinit
> CrlPointer
;
78 typedef void *CrlPointer
;
81 typedef std::list
<Security::CertPointer
> CertList
;
83 typedef std::list
<Security::CrlPointer
> CertRevokeList
;
86 CtoCpp1(DH_free
, DH
*);
87 typedef Security::LockingPointer
<DH
, DH_free_cpp
, HardFun
<int, DH
*, DH_up_ref
> > DhePointer
;
89 typedef void *DhePointer
;
92 class EncryptorAnswer
;
94 /// Squid defined error code (<0), an error code returned by X.509 API, or SSL_ERROR_NONE
95 typedef int ErrorCode
;
97 inline const char *ErrorString(const ErrorCode code
) {
99 return ERR_error_string(code
, nullptr);
101 return gnutls_strerror(code
);
103 return "[no TLS library]";
107 /// set of Squid defined TLS error codes
108 /// \note using std::unordered_set ensures values are unique, with fast lookup
109 typedef std::unordered_set
<Security::ErrorCode
> Errors
;
115 BIO_TO_CLIENT
= 6000,
118 // NP: this is odd looking but correct.
119 // 'to-client' means we are a server, and vice versa.
120 BIO_TO_CLIENT
= GNUTLS_SERVER
,
121 BIO_TO_SERVER
= GNUTLS_CLIENT
123 BIO_TO_CLIENT
= 6000,
133 typedef long ParsedOptions
;
135 typedef std::shared_ptr
<struct gnutls_priority_st
> ParsedOptions
;
137 class ParsedOptions
{}; // we never parse/use TLS options in this case
140 /// bitmask representing configured http(s)_port `sslflags`
141 /// as well tls_outgoing_options `flags`, cache_peer `sslflags`, and
142 /// icap_service `tls-flags`
143 typedef long ParsedPortFlags
;
149 CtoCpp1(EVP_PKEY_free
, EVP_PKEY
*)
150 typedef Security::LockingPointer
<EVP_PKEY
, EVP_PKEY_free_cpp
, HardFun
<int, EVP_PKEY
*, EVP_PKEY_up_ref
> > PrivateKeyPointer
;
152 typedef std::shared_ptr
<struct gnutls_x509_privkey_int
> PrivateKeyPointer
;
154 typedef std::shared_ptr
<void> PrivateKeyPointer
;
159 } // namespace Security
161 #endif /* SQUID_SRC_SECURITY_FORWARD_H */