7 * SQUID Internet Object Cache http://squid.nlanr.net/Squid/
8 * ----------------------------------------------------------
10 * Squid is the result of efforts by numerous individuals from the
11 * Internet community. Development is led by Duane Wessels of the
12 * National Laboratory for Applied Network Research and funded by the
13 * National Science Foundation. Squid is Copyrighted (C) 1998 by
14 * Duane Wessels and the University of California San Diego. Please
15 * see the COPYRIGHT file for full details. Squid incorporates
16 * software developed and/or copyrighted by other sources. Please see
17 * the CREDITS file for full details.
19 * This program is free software; you can redistribute it and/or modify
20 * it under the terms of the GNU General Public License as published by
21 * the Free Software Foundation; either version 2 of the License, or
22 * (at your option) any later version.
24 * This program is distributed in the hope that it will be useful,
25 * but WITHOUT ANY WARRANTY; without even the implied warranty of
26 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 * GNU General Public License for more details.
29 * You should have received a copy of the GNU General Public License
30 * along with this program; if not, write to the Free Software
31 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
35 #ifndef SQUID_SSL_SUPPORT_H
36 #define SQUID_SSL_SUPPORT_H
38 #include "ssl/gadgets.h"
40 #if HAVE_OPENSSL_SSL_H
41 #include <openssl/ssl.h>
43 #if HAVE_OPENSSL_X509V3_H
44 #include <openssl/x509v3.h>
46 #if HAVE_OPENSSL_ERR_H
47 #include <openssl/err.h>
49 #if HAVE_OPENSSL_ENGINE_H
50 #include <openssl/engine.h>
54 \defgroup ServerProtocolSSLAPI Server-Side SSL API
55 \ingroup ServerProtocol
58 // Custom SSL errors; assumes all official errors are positive
59 #define SQUID_ERR_SSL_HANDSHAKE -2
60 #define SQUID_X509_V_ERR_DOMAIN_MISMATCH -1
61 // All SSL errors range: from smallest (negative) custom to largest SSL error
62 #define SQUID_SSL_ERROR_MIN SQUID_ERR_SSL_HANDSHAKE
63 #define SQUID_SSL_ERROR_MAX INT_MAX
67 /// Squid defined error code (<0), an error code returned by SSL X509 api, or SSL_ERROR_NONE
68 typedef int ssl_error_t
;
71 /// \ingroup ServerProtocolSSLAPI
72 SSL_CTX
*sslCreateServerContext(const char *certfile
, const char *keyfile
, int version
, const char *cipher
, const char *options
, const char *flags
, const char *clientCA
, const char *CAfile
, const char *CApath
, const char *CRLfile
, const char *dhpath
, const char *context
);
74 /// \ingroup ServerProtocolSSLAPI
75 SSL_CTX
*sslCreateClientContext(const char *certfile
, const char *keyfile
, int version
, const char *cipher
, const char *options
, const char *flags
, const char *CAfile
, const char *CApath
, const char *CRLfile
);
77 /// \ingroup ServerProtocolSSLAPI
78 int ssl_read_method(int, char *, int);
80 /// \ingroup ServerProtocolSSLAPI
81 int ssl_write_method(int, const char *, int);
83 /// \ingroup ServerProtocolSSLAPI
84 void ssl_shutdown_method(SSL
*ssl
);
87 /// \ingroup ServerProtocolSSLAPI
88 const char *sslGetUserEmail(SSL
*ssl
);
90 /// \ingroup ServerProtocolSSLAPI
91 typedef char const *SSLGETATTRIBUTE(SSL
*, const char *);
93 /// \ingroup ServerProtocolSSLAPI
94 SSLGETATTRIBUTE sslGetUserAttribute
;
96 /// \ingroup ServerProtocolSSLAPI
97 SSLGETATTRIBUTE sslGetCAAttribute
;
99 /// \ingroup ServerProtocolSSLAPI
100 const char *sslGetUserCertificatePEM(SSL
*ssl
);
102 /// \ingroup ServerProtocolSSLAPI
103 const char *sslGetUserCertificateChainPEM(SSL
*ssl
);
108 \ingroup ServerProtocolSSLAPI
109 * Decide on the kind of certificate and generate a CA- or self-signed one
111 SSL_CTX
*generateSslContext(char const *host
, Ssl::X509_Pointer
const & mimicCert
, Ssl::X509_Pointer
const & signedX509
, Ssl::EVP_PKEY_Pointer
const & signedPkey
);
114 \ingroup ServerProtocolSSLAPI
115 * Check date of certificate signature. If there is out of date error fucntion
116 * returns false, true otherwise.
118 bool verifySslCertificateDate(SSL_CTX
* sslContext
);
121 \ingroup ServerProtocolSSLAPI
122 * Read private key and certificate from memory and generate SSL context
125 SSL_CTX
* generateSslContextUsingPkeyAndCertFromMemory(const char * data
);
128 \ingroup ServerProtocolSSLAPI
129 * Adds the certificates in certList to the certificate chain of the SSL context
131 void addChainToSslContext(SSL_CTX
*sslContext
, STACK_OF(X509
) *certList
);
134 \ingroup ServerProtocolSSLAPI
135 * Read certificate, private key and any certificates which must be chained from files.
136 * See also: Ssl::readCertAndPrivateKeyFromFiles function, defined in gadgets.h
137 * \param certFilename name of file with certificate and certificates which must be chainned.
138 * \param keyFilename name of file with private key.
140 void readCertChainAndPrivateKeyFromFiles(X509_Pointer
& cert
, EVP_PKEY_Pointer
& pkey
, X509_STACK_Pointer
& chain
, char const * certFilename
, char const * keyFilename
);
143 \ingroup ServerProtocolSSLAPI
144 * Iterates over the X509 common and alternate names and to see if matches with given data
145 * using the check_func.
146 \param peer_cert The X509 cert to check
147 \param check_data The data with which the X509 CNs compared
148 \param check_func The function used to match X509 CNs. The CN data passed as ASN1_STRING data
149 \return 1 if any of the certificate CN matches, 0 if none matches.
151 int matchX509CommonNames(X509
*peer_cert
, void *check_data
, int (*check_func
)(void *check_data
, ASN1_STRING
*cn_data
));
154 \ingroup ServerProtocolSSLAPI
155 * Convert a given ASN1_TIME to a string form.
156 \param tm the time in ASN1_TIME form
157 \param buf the buffer to write the output
158 \param len write at most len bytes
159 \return The number of bytes written
161 int asn1timeToString(ASN1_TIME
*tm
, char *buf
, int len
);
164 \ingroup ServerProtocolSSLAPI
165 * Sets the hostname for the Server Name Indication (SNI) TLS extension
166 * if supported by the used openssl toolkit.
167 \return true if SNI set false otherwise
169 bool setClientSNI(SSL
*ssl
, const char *fqdn
);
172 \ingroup ServerProtocolSSLAPI
173 * Returns CN from the certificate, suitable for use as a host name.
174 * Uses static memory to temporary store the extracted name.
176 const char *CommonHostName(X509
*x509
);
181 #if defined(__cplusplus)
183 /** \cond AUTODOCS-IGNORE */
188 /// \ingroup ServerProtocolSSLAPI
190 int SSL_set_fd(SSL
*ssl
, int fd
)
192 return ::SSL_set_fd(ssl
, _get_osfhandle(fd
));
195 /// \ingroup ServerProtocolSSLAPI
196 #define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
198 } /* namespace Squid */
202 /// \ingroup ServerProtocolSSLAPI
203 #define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
205 #endif /* __cplusplus */
207 #endif /* _SQUID_MSWIN_ */
209 #endif /* SQUID_SSL_SUPPORT_H */