src/ssl/support.h

   1
   2 /*
   3  * $Id$
   4  *
   5  * AUTHOR: Benno Rice
   6  *
   7  * SQUID Internet Object Cache  http://squid.nlanr.net/Squid/
   8  * ----------------------------------------------------------
   9  *
  10  *  Squid is the result of efforts by numerous individuals from the
  11  *  Internet community.  Development is led by Duane Wessels of the
  12  *  National Laboratory for Applied Network Research and funded by the
  13  *  National Science Foundation.  Squid is Copyrighted (C) 1998 by
  14  *  Duane Wessels and the University of California San Diego.  Please
  15  *  see the COPYRIGHT file for full details.  Squid incorporates
  16  *  software developed and/or copyrighted by other sources.  Please see
  17  *  the CREDITS file for full details.
  18  *
  19  *  This program is free software; you can redistribute it and/or modify
  20  *  it under the terms of the GNU General Public License as published by
  21  *  the Free Software Foundation; either version 2 of the License, or
  22  *  (at your option) any later version.
  23  *
  24  *  This program is distributed in the hope that it will be useful,
  25  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  26  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  27  *  GNU General Public License for more details.
  28  *
  29  *  You should have received a copy of the GNU General Public License
  30  *  along with this program; if not, write to the Free Software
  31  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  32  *
  33  */
  34
  35 #ifndef SQUID_SSL_SUPPORT_H
  36 #define SQUID_SSL_SUPPORT_H
  37
  38 #include "CbDataList.h"
  39 #include "ssl/gadgets.h"
  40
  41 #if HAVE_OPENSSL_SSL_H
  42 #include <openssl/ssl.h>
  43 #endif
  44 #if HAVE_OPENSSL_X509V3_H
  45 #include <openssl/x509v3.h>
  46 #endif
  47 #if HAVE_OPENSSL_ERR_H
  48 #include <openssl/err.h>
  49 #endif
  50 #if HAVE_OPENSSL_ENGINE_H
  51 #include <openssl/engine.h>
  52 #endif
  53
  54 /**
  55  \defgroup ServerProtocolSSLAPI Server-Side SSL API
  56  \ingroup ServerProtocol
  57  */
  58
  59 // Custom SSL errors; assumes all official errors are positive
  60 #define SQUID_X509_V_ERR_CERT_CHANGE -3
  61 #define SQUID_ERR_SSL_HANDSHAKE -2
  62 #define SQUID_X509_V_ERR_DOMAIN_MISMATCH -1
  63 // All SSL errors range: from smallest (negative) custom to largest SSL error
  64 #define SQUID_SSL_ERROR_MIN SQUID_X509_V_ERR_CERT_CHANGE
  65 #define SQUID_SSL_ERROR_MAX INT_MAX
  66
  67 namespace AnyP
  68 {
  69 class PortCfg;
  70 };
  71
  72 namespace Ssl
  73 {
  74 /// Squid defined error code (<0),  an error code returned by SSL X509 api, or SSL_ERROR_NONE
  75 typedef int ssl_error_t;
  76
  77 typedef CbDataList<Ssl::ssl_error_t> Errors;
  78
  79 } //namespace Ssl
  80
  81 /// \ingroup ServerProtocolSSLAPI
  82 SSL_CTX *sslCreateServerContext(AnyP::PortCfg &port);
  83
  84 /// \ingroup ServerProtocolSSLAPI
  85 SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile);
  86
  87 /// \ingroup ServerProtocolSSLAPI
  88 int ssl_read_method(int, char *, int);
  89
  90 /// \ingroup ServerProtocolSSLAPI
  91 int ssl_write_method(int, const char *, int);
  92
  93 /// \ingroup ServerProtocolSSLAPI
  94 void ssl_shutdown_method(SSL *ssl);
  95
  96 /// \ingroup ServerProtocolSSLAPI
  97 const char *sslGetUserEmail(SSL *ssl);
  98
  99 /// \ingroup ServerProtocolSSLAPI
 100 const char *sslGetUserAttribute(SSL *ssl, const char *attribute_name);
 101
 102 /// \ingroup ServerProtocolSSLAPI
 103 const char *sslGetCAAttribute(SSL *ssl, const char *attribute_name);
 104
 105 /// \ingroup ServerProtocolSSLAPI
 106 const char *sslGetUserCertificatePEM(SSL *ssl);
 107
 108 /// \ingroup ServerProtocolSSLAPI
 109 const char *sslGetUserCertificateChainPEM(SSL *ssl);
 110
 111 namespace Ssl
 112 {
 113 /// \ingroup ServerProtocolSSLAPI
 114 typedef char const *GETX509ATTRIBUTE(X509 *, const char *);
 115
 116 /// \ingroup ServerProtocolSSLAPI
 117 GETX509ATTRIBUTE GetX509UserAttribute;
 118
 119 /// \ingroup ServerProtocolSSLAPI
 120 GETX509ATTRIBUTE GetX509CAAttribute;
 121
 122 /// \ingroup ServerProtocolSSLAPI
 123 GETX509ATTRIBUTE GetX509Fingerprint;
 124
 125 /**
 126   \ingroup ServerProtocolSSLAPI
 127  * Supported ssl-bump modes
 128  */
 129 enum BumpMode {bumpNone = 0, bumpClientFirst, bumpServerFirst, bumpEnd};
 130
 131 /**
 132  \ingroup  ServerProtocolSSLAPI
 133  * Short names for ssl-bump modes
 134  */
 135 extern const char *BumpModeStr[];
 136
 137 /**
 138  \ingroup ServerProtocolSSLAPI
 139  * Return the short name of the ssl-bump mode "bm"
 140  */
 141 inline const char *bumpMode(int bm)
 142 {
 143     return (0 <= bm && bm < Ssl::bumpEnd) ? Ssl::BumpModeStr[bm] : NULL;
 144 }
 145
 146 /**
 147  \ingroup ServerProtocolSSLAPI
 148  * Parses the SSL flags.
 149  */
 150 long parse_flags(const char *flags);
 151
 152 /**
 153  \ingroup ServerProtocolSSLAPI
 154  * Parses the SSL options.
 155  */
 156 long parse_options(const char *options);
 157
 158 /**
 159  \ingroup ServerProtocolSSLAPI
 160  * Load a CRLs list stored in a file
 161  */
 162 STACK_OF(X509_CRL) *loadCrl(const char *CRLFile, long &flags);
 163
 164 /**
 165  \ingroup ServerProtocolSSLAPI
 166  * Load DH params from file
 167  */
 168 DH *readDHParams(const char *dhfile);
 169
 170 /**
 171  \ingroup ServerProtocolSSLAPI
 172  * Compute the Ssl::ContextMethod (SSL_METHOD) from SSL version
 173  */
 174 ContextMethod contextMethod(int version);
 175
 176 /**
 177   \ingroup ServerProtocolSSLAPI
 178   * Generate a certificate to be used as untrusted signing certificate, based on a trusted CA
 179 */
 180 bool generateUntrustedCert(X509_Pointer & untrustedCert, EVP_PKEY_Pointer & untrustedPkey, X509_Pointer const & cert, EVP_PKEY_Pointer const & pkey);
 181
 182 /**
 183   \ingroup ServerProtocolSSLAPI
 184   * Decide on the kind of certificate and generate a CA- or self-signed one
 185 */
 186 SSL_CTX * generateSslContext(CertificateProperties const &properties, AnyP::PortCfg &port);
 187
 188 /**
 189   \ingroup ServerProtocolSSLAPI
 190   * Check if the certificate of the given context is still valid
 191   \param sslContext The context to check
 192   \param properties Check if the context certificate matches the given properties
 193   \return true if the contexts certificate is valid, false otherwise
 194  */
 195 bool verifySslCertificate(SSL_CTX * sslContext,  CertificateProperties const &properties);
 196
 197 /**
 198   \ingroup ServerProtocolSSLAPI
 199   * Read private key and certificate from memory and generate SSL context
 200   * using their.
 201  */
 202 SSL_CTX * generateSslContextUsingPkeyAndCertFromMemory(const char * data, AnyP::PortCfg &port);
 203
 204 /**
 205   \ingroup ServerProtocolSSLAPI
 206   * Adds the certificates in certList to the certificate chain of the SSL context
 207  */
 208 void addChainToSslContext(SSL_CTX *sslContext, STACK_OF(X509) *certList);
 209
 210 /**
 211  \ingroup ServerProtocolSSLAPI
 212  *  Read certificate, private key and any certificates which must be chained from files.
 213  * See also: Ssl::readCertAndPrivateKeyFromFiles function,  defined in gadgets.h
 214  * \param certFilename name of file with certificate and certificates which must be chainned.
 215  * \param keyFilename name of file with private key.
 216  */
 217 void readCertChainAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, X509_STACK_Pointer & chain, char const * certFilename, char const * keyFilename);
 218
 219 /**
 220    \ingroup ServerProtocolSSLAPI
 221    * Iterates over the X509 common and alternate names and to see if  matches with given data
 222    * using the check_func.
 223    \param peer_cert  The X509 cert to check
 224    \param check_data The data with which the X509 CNs compared
 225    \param check_func The function used to match X509 CNs. The CN data passed as ASN1_STRING data
 226    \return   1 if any of the certificate CN matches, 0 if none matches.
 227  */
 228 int matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data,  ASN1_STRING *cn_data));
 229
 230 /**
 231    \ingroup ServerProtocolSSLAPI
 232    * Check if the certificate is valid for a server
 233    \param cert  The X509 cert to check.
 234    \param server The server name.
 235    \return   true if the certificate is valid for the server or false otherwise.
 236  */
 237 bool checkX509ServerValidity(X509 *cert, const char *server);
 238
 239 /**
 240    \ingroup ServerProtocolSSLAPI
 241    * Convert a given ASN1_TIME to a string form.
 242    \param tm the time in ASN1_TIME form
 243    \param buf the buffer to write the output
 244    \param len write at most len bytes
 245    \return The number of bytes written
 246  */
 247 int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
 248
 249 /**
 250    \ingroup ServerProtocolSSLAPI
 251    * Sets the hostname for the Server Name Indication (SNI) TLS extension
 252    * if supported by the used openssl toolkit.
 253    \return true if SNI set false otherwise
 254 */
 255 bool setClientSNI(SSL *ssl, const char *fqdn);
 256 } //namespace Ssl
 257
 258 #if _SQUID_MSWIN_
 259
 260 #if defined(__cplusplus)
 261
 262 /** \cond AUTODOCS-IGNORE */
 263 namespace Squid
 264 {
 265 /** \endcond */
 266
 267 /// \ingroup ServerProtocolSSLAPI
 268 inline
 269 int SSL_set_fd(SSL *ssl, int fd)
 270 {
 271     return ::SSL_set_fd(ssl, _get_osfhandle(fd));
 272 }
 273
 274 /// \ingroup ServerProtocolSSLAPI
 275 #define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
 276
 277 } /* namespace Squid */
 278
 279 #else
 280
 281 /// \ingroup ServerProtocolSSLAPI
 282 #define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
 283
 284 #endif /* __cplusplus */
 285
 286 #endif /* _SQUID_MSWIN_ */
 287
 288 #endif /* SQUID_SSL_SUPPORT_H */