src/ssl/support.h

   1
   2 /*
   3  * $Id$
   4  *
   5  * AUTHOR: Benno Rice
   6  *
   7  * SQUID Internet Object Cache  http://squid.nlanr.net/Squid/
   8  * ----------------------------------------------------------
   9  *
  10  *  Squid is the result of efforts by numerous individuals from the
  11  *  Internet community.  Development is led by Duane Wessels of the
  12  *  National Laboratory for Applied Network Research and funded by the
  13  *  National Science Foundation.  Squid is Copyrighted (C) 1998 by
  14  *  Duane Wessels and the University of California San Diego.  Please
  15  *  see the COPYRIGHT file for full details.  Squid incorporates
  16  *  software developed and/or copyrighted by other sources.  Please see
  17  *  the CREDITS file for full details.
  18  *
  19  *  This program is free software; you can redistribute it and/or modify
  20  *  it under the terms of the GNU General Public License as published by
  21  *  the Free Software Foundation; either version 2 of the License, or
  22  *  (at your option) any later version.
  23  *
  24  *  This program is distributed in the hope that it will be useful,
  25  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  26  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  27  *  GNU General Public License for more details.
  28  *
  29  *  You should have received a copy of the GNU General Public License
  30  *  along with this program; if not, write to the Free Software
  31  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  32  *
  33  */
  34
  35 #ifndef SQUID_SSL_SUPPORT_H
  36 #define SQUID_SSL_SUPPORT_H
  37
  38 #include "ssl/gadgets.h"
  39
  40 #if HAVE_OPENSSL_SSL_H
  41 #include <openssl/ssl.h>
  42 #endif
  43 #if HAVE_OPENSSL_X509V3_H
  44 #include <openssl/x509v3.h>
  45 #endif
  46 #if HAVE_OPENSSL_ERR_H
  47 #include <openssl/err.h>
  48 #endif
  49 #if HAVE_OPENSSL_ENGINE_H
  50 #include <openssl/engine.h>
  51 #endif
  52
  53 /**
  54  \defgroup ServerProtocolSSLAPI Server-Side SSL API
  55  \ingroup ServerProtocol
  56  */
  57
  58 // Custom SSL errors; assumes all official errors are positive
  59 #define SQUID_ERR_SSL_HANDSHAKE -2
  60 #define SQUID_X509_V_ERR_DOMAIN_MISMATCH -1
  61 // All SSL errors range: from smallest (negative) custom to largest SSL error
  62 #define SQUID_SSL_ERROR_MIN SQUID_ERR_SSL_HANDSHAKE
  63 #define SQUID_SSL_ERROR_MAX INT_MAX
  64
  65 namespace Ssl
  66 {
  67 /// Squid defined error code (<0),  an error code returned by SSL X509 api, or SSL_ERROR_NONE
  68 typedef int ssl_error_t;
  69 } //namespace Ssl
  70
  71 /// \ingroup ServerProtocolSSLAPI
  72 SSL_CTX *sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath, const char *CRLfile, const char *dhpath, const char *context);
  73
  74 /// \ingroup ServerProtocolSSLAPI
  75 SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile);
  76
  77 /// \ingroup ServerProtocolSSLAPI
  78 int ssl_read_method(int, char *, int);
  79
  80 /// \ingroup ServerProtocolSSLAPI
  81 int ssl_write_method(int, const char *, int);
  82
  83 /// \ingroup ServerProtocolSSLAPI
  84 void ssl_shutdown_method(SSL *ssl);
  85
  86
  87 /// \ingroup ServerProtocolSSLAPI
  88 const char *sslGetUserEmail(SSL *ssl);
  89
  90 /// \ingroup ServerProtocolSSLAPI
  91 typedef char const *SSLGETATTRIBUTE(SSL *, const char *);
  92
  93 /// \ingroup ServerProtocolSSLAPI
  94 SSLGETATTRIBUTE sslGetUserAttribute;
  95
  96 /// \ingroup ServerProtocolSSLAPI
  97 SSLGETATTRIBUTE sslGetCAAttribute;
  98
  99 /// \ingroup ServerProtocolSSLAPI
 100 const char *sslGetUserCertificatePEM(SSL *ssl);
 101
 102 /// \ingroup ServerProtocolSSLAPI
 103 const char *sslGetUserCertificateChainPEM(SSL *ssl);
 104
 105 namespace Ssl
 106 {
 107 /**
 108   \ingroup ServerProtocolSSLAPI
 109   * Decide on the kind of certificate and generate a CA- or self-signed one
 110 */
 111 SSL_CTX *generateSslContext(char const *host, Ssl::X509_Pointer const & mimicCert, Ssl::X509_Pointer const & signedX509, Ssl::EVP_PKEY_Pointer const & signedPkey);
 112
 113 /**
 114   \ingroup ServerProtocolSSLAPI
 115   * Check date of certificate signature. If there is out of date error fucntion
 116   * returns false, true otherwise.
 117  */
 118 bool verifySslCertificateDate(SSL_CTX * sslContext);
 119
 120 /**
 121   \ingroup ServerProtocolSSLAPI
 122   * Read private key and certificate from memory and generate SSL context
 123   * using their.
 124  */
 125 SSL_CTX * generateSslContextUsingPkeyAndCertFromMemory(const char * data);
 126
 127 /**
 128   \ingroup ServerProtocolSSLAPI
 129   * Adds the certificates in certList to the certificate chain of the SSL context
 130  */
 131 void addChainToSslContext(SSL_CTX *sslContext, STACK_OF(X509) *certList);
 132
 133 /**
 134  \ingroup ServerProtocolSSLAPI
 135  *  Read certificate, private key and any certificates which must be chained from files.
 136  * See also: Ssl::readCertAndPrivateKeyFromFiles function,  defined in gadgets.h
 137  * \param certFilename name of file with certificate and certificates which must be chainned.
 138  * \param keyFilename name of file with private key.
 139  */
 140 void readCertChainAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, X509_STACK_Pointer & chain, char const * certFilename, char const * keyFilename);
 141
 142 /**
 143    \ingroup ServerProtocolSSLAPI
 144    * Iterates over the X509 common and alternate names and to see if  matches with given data
 145    * using the check_func.
 146    \param peer_cert  The X509 cert to check
 147    \param check_data The data with which the X509 CNs compared
 148    \param check_func The function used to match X509 CNs. The CN data passed as ASN1_STRING data
 149    \return   1 if any of the certificate CN matches, 0 if none matches.
 150  */
 151 int matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data,  ASN1_STRING *cn_data));
 152
 153 /**
 154    \ingroup ServerProtocolSSLAPI
 155    * Convert a given ASN1_TIME to a string form.
 156    \param tm the time in ASN1_TIME form
 157    \param buf the buffer to write the output
 158    \param len write at most len bytes
 159    \return The number of bytes written
 160  */
 161 int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
 162
 163 /**
 164    \ingroup ServerProtocolSSLAPI
 165    * Sets the hostname for the Server Name Indication (SNI) TLS extension
 166    * if supported by the used openssl toolkit.
 167    \return true if SNI set false otherwise
 168 */
 169 bool setClientSNI(SSL *ssl, const char *fqdn);
 170
 171 /**
 172    \ingroup ServerProtocolSSLAPI
 173    * Returns CN from the certificate, suitable for use as a host name.
 174    * Uses static memory to temporary store the extracted name.
 175 */
 176 const char *CommonHostName(X509 *x509);
 177 } //namespace Ssl
 178
 179 #if _SQUID_MSWIN_
 180
 181 #if defined(__cplusplus)
 182
 183 /** \cond AUTODOCS-IGNORE */
 184 namespace Squid
 185 {
 186 /** \endcond */
 187
 188 /// \ingroup ServerProtocolSSLAPI
 189 inline
 190 int SSL_set_fd(SSL *ssl, int fd)
 191 {
 192     return ::SSL_set_fd(ssl, _get_osfhandle(fd));
 193 }
 194
 195 /// \ingroup ServerProtocolSSLAPI
 196 #define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
 197
 198 } /* namespace Squid */
 199
 200 #else
 201
 202 /// \ingroup ServerProtocolSSLAPI
 203 #define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
 204
 205 #endif /* __cplusplus */
 206
 207 #endif /* _SQUID_MSWIN_ */
 208
 209 #endif /* SQUID_SSL_SUPPORT_H */