7 * SQUID Internet Object Cache http://squid.nlanr.net/Squid/
8 * ----------------------------------------------------------
10 * Squid is the result of efforts by numerous individuals from the
11 * Internet community. Development is led by Duane Wessels of the
12 * National Laboratory for Applied Network Research and funded by the
13 * National Science Foundation. Squid is Copyrighted (C) 1998 by
14 * Duane Wessels and the University of California San Diego. Please
15 * see the COPYRIGHT file for full details. Squid incorporates
16 * software developed and/or copyrighted by other sources. Please see
17 * the CREDITS file for full details.
19 * This program is free software; you can redistribute it and/or modify
20 * it under the terms of the GNU General Public License as published by
21 * the Free Software Foundation; either version 2 of the License, or
22 * (at your option) any later version.
24 * This program is distributed in the hope that it will be useful,
25 * but WITHOUT ANY WARRANTY; without even the implied warranty of
26 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 * GNU General Public License for more details.
29 * You should have received a copy of the GNU General Public License
30 * along with this program; if not, write to the Free Software
31 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
35 #ifndef SQUID_SSL_SUPPORT_H
36 #define SQUID_SSL_SUPPORT_H
38 #include "CbDataList.h"
39 #include "ssl/gadgets.h"
41 #if HAVE_OPENSSL_SSL_H
42 #include <openssl/ssl.h>
44 #if HAVE_OPENSSL_X509V3_H
45 #include <openssl/x509v3.h>
47 #if HAVE_OPENSSL_ERR_H
48 #include <openssl/err.h>
50 #if HAVE_OPENSSL_ENGINE_H
51 #include <openssl/engine.h>
55 \defgroup ServerProtocolSSLAPI Server-Side SSL API
56 \ingroup ServerProtocol
59 // Custom SSL errors; assumes all official errors are positive
60 #define SQUID_X509_V_ERR_CERT_CHANGE -3
61 #define SQUID_ERR_SSL_HANDSHAKE -2
62 #define SQUID_X509_V_ERR_DOMAIN_MISMATCH -1
63 // All SSL errors range: from smallest (negative) custom to largest SSL error
64 #define SQUID_SSL_ERROR_MIN SQUID_X509_V_ERR_CERT_CHANGE
65 #define SQUID_SSL_ERROR_MAX INT_MAX
69 /// Squid defined error code (<0), an error code returned by SSL X509 api, or SSL_ERROR_NONE
70 typedef int ssl_error_t
;
72 typedef CbDataList
<Ssl::ssl_error_t
> Errors
;
76 /// \ingroup ServerProtocolSSLAPI
77 SSL_CTX
*sslCreateServerContext(const char *certfile
, const char *keyfile
, int version
, const char *cipher
, const char *options
, const char *flags
, const char *clientCA
, const char *CAfile
, const char *CApath
, const char *CRLfile
, const char *dhpath
, const char *context
);
79 /// \ingroup ServerProtocolSSLAPI
80 SSL_CTX
*sslCreateClientContext(const char *certfile
, const char *keyfile
, int version
, const char *cipher
, const char *options
, const char *flags
, const char *CAfile
, const char *CApath
, const char *CRLfile
);
82 /// \ingroup ServerProtocolSSLAPI
83 int ssl_read_method(int, char *, int);
85 /// \ingroup ServerProtocolSSLAPI
86 int ssl_write_method(int, const char *, int);
88 /// \ingroup ServerProtocolSSLAPI
89 void ssl_shutdown_method(SSL
*ssl
);
92 /// \ingroup ServerProtocolSSLAPI
93 const char *sslGetUserEmail(SSL
*ssl
);
95 /// \ingroup ServerProtocolSSLAPI
96 typedef char const *SSLGETATTRIBUTE(SSL
*, const char *);
98 /// \ingroup ServerProtocolSSLAPI
99 SSLGETATTRIBUTE sslGetUserAttribute
;
101 /// \ingroup ServerProtocolSSLAPI
102 SSLGETATTRIBUTE sslGetCAAttribute
;
104 /// \ingroup ServerProtocolSSLAPI
105 const char *sslGetUserCertificatePEM(SSL
*ssl
);
107 /// \ingroup ServerProtocolSSLAPI
108 const char *sslGetUserCertificateChainPEM(SSL
*ssl
);
114 \ingroup ServerProtocolSSLAPI
115 * A temporary self-signed certificate generated on squid start up, to be
116 * used to sign the generated untrusted certificates.
118 extern X509_Pointer SquidCaCert
;
121 \ingroup ServerProtocolSSLAPI
122 * The key of the SquidCaCert certificate.
124 extern EVP_PKEY_Pointer SquidCaCertKey
;
127 \ingroup ServerProtocolSSLAPI
128 * Decide on the kind of certificate and generate a CA- or self-signed one
130 SSL_CTX
* generateSslContext(CertificateProperties
const &properties
);
133 \ingroup ServerProtocolSSLAPI
134 * Check if the certificate of the given context is still valid
135 \param sslContext The context to check
136 \param checkCert Also check if the context certificate matches this certificate
137 \return true if the contexts certificate is valid, false otherwise
139 bool verifySslCertificate(SSL_CTX
* sslContext
, X509
*checkCert
= NULL
);
142 \ingroup ServerProtocolSSLAPI
143 * Read private key and certificate from memory and generate SSL context
146 SSL_CTX
* generateSslContextUsingPkeyAndCertFromMemory(const char * data
);
149 \ingroup ServerProtocolSSLAPI
150 * Adds the certificates in certList to the certificate chain of the SSL context
152 void addChainToSslContext(SSL_CTX
*sslContext
, STACK_OF(X509
) *certList
);
155 \ingroup ServerProtocolSSLAPI
156 * Read certificate, private key and any certificates which must be chained from files.
157 * See also: Ssl::readCertAndPrivateKeyFromFiles function, defined in gadgets.h
158 * \param certFilename name of file with certificate and certificates which must be chainned.
159 * \param keyFilename name of file with private key.
161 void readCertChainAndPrivateKeyFromFiles(X509_Pointer
& cert
, EVP_PKEY_Pointer
& pkey
, X509_STACK_Pointer
& chain
, char const * certFilename
, char const * keyFilename
);
164 \ingroup ServerProtocolSSLAPI
165 * Iterates over the X509 common and alternate names and to see if matches with given data
166 * using the check_func.
167 \param peer_cert The X509 cert to check
168 \param check_data The data with which the X509 CNs compared
169 \param check_func The function used to match X509 CNs. The CN data passed as ASN1_STRING data
170 \return 1 if any of the certificate CN matches, 0 if none matches.
172 int matchX509CommonNames(X509
*peer_cert
, void *check_data
, int (*check_func
)(void *check_data
, ASN1_STRING
*cn_data
));
175 \ingroup ServerProtocolSSLAPI
176 * Check if the certificate is valid for a server
177 \param cert The X509 cert to check.
178 \param server The server name.
179 \return true if the certificate is valid for the server or false otherwise.
181 bool checkX509ServerValidity(X509
*cert
, const char *server
);
184 \ingroup ServerProtocolSSLAPI
185 * Convert a given ASN1_TIME to a string form.
186 \param tm the time in ASN1_TIME form
187 \param buf the buffer to write the output
188 \param len write at most len bytes
189 \return The number of bytes written
191 int asn1timeToString(ASN1_TIME
*tm
, char *buf
, int len
);
194 \ingroup ServerProtocolSSLAPI
195 * Sets the hostname for the Server Name Indication (SNI) TLS extension
196 * if supported by the used openssl toolkit.
197 \return true if SNI set false otherwise
199 bool setClientSNI(SSL
*ssl
, const char *fqdn
);
202 \ingroup ServerProtocolSSLAPI
203 * Returns CN from the certificate, suitable for use as a host name.
204 * Uses static memory to temporary store the extracted name.
206 const char *CommonHostName(X509
*x509
);
211 #if defined(__cplusplus)
213 /** \cond AUTODOCS-IGNORE */
218 /// \ingroup ServerProtocolSSLAPI
220 int SSL_set_fd(SSL
*ssl
, int fd
)
222 return ::SSL_set_fd(ssl
, _get_osfhandle(fd
));
225 /// \ingroup ServerProtocolSSLAPI
226 #define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
228 } /* namespace Squid */
232 /// \ingroup ServerProtocolSSLAPI
233 #define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
235 #endif /* __cplusplus */
237 #endif /* _SQUID_MSWIN_ */
239 #endif /* SQUID_SSL_SUPPORT_H */