src/ssl/support.h

   1
   2 /*
   3  * $Id$
   4  *
   5  * AUTHOR: Benno Rice
   6  *
   7  * SQUID Internet Object Cache  http://squid.nlanr.net/Squid/
   8  * ----------------------------------------------------------
   9  *
  10  *  Squid is the result of efforts by numerous individuals from the
  11  *  Internet community.  Development is led by Duane Wessels of the
  12  *  National Laboratory for Applied Network Research and funded by the
  13  *  National Science Foundation.  Squid is Copyrighted (C) 1998 by
  14  *  Duane Wessels and the University of California San Diego.  Please
  15  *  see the COPYRIGHT file for full details.  Squid incorporates
  16  *  software developed and/or copyrighted by other sources.  Please see
  17  *  the CREDITS file for full details.
  18  *
  19  *  This program is free software; you can redistribute it and/or modify
  20  *  it under the terms of the GNU General Public License as published by
  21  *  the Free Software Foundation; either version 2 of the License, or
  22  *  (at your option) any later version.
  23  *
  24  *  This program is distributed in the hope that it will be useful,
  25  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  26  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  27  *  GNU General Public License for more details.
  28  *
  29  *  You should have received a copy of the GNU General Public License
  30  *  along with this program; if not, write to the Free Software
  31  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  32  *
  33  */
  34
  35 #ifndef SQUID_SSL_SUPPORT_H
  36 #define SQUID_SSL_SUPPORT_H
  37
  38 #include "CbDataList.h"
  39 #include "ssl/gadgets.h"
  40
  41 #if HAVE_OPENSSL_SSL_H
  42 #include <openssl/ssl.h>
  43 #endif
  44 #if HAVE_OPENSSL_X509V3_H
  45 #include <openssl/x509v3.h>
  46 #endif
  47 #if HAVE_OPENSSL_ERR_H
  48 #include <openssl/err.h>
  49 #endif
  50 #if HAVE_OPENSSL_ENGINE_H
  51 #include <openssl/engine.h>
  52 #endif
  53
  54 /**
  55  \defgroup ServerProtocolSSLAPI Server-Side SSL API
  56  \ingroup ServerProtocol
  57  */
  58
  59 // Custom SSL errors; assumes all official errors are positive
  60 #define SQUID_X509_V_ERR_CERT_CHANGE -3
  61 #define SQUID_ERR_SSL_HANDSHAKE -2
  62 #define SQUID_X509_V_ERR_DOMAIN_MISMATCH -1
  63 // All SSL errors range: from smallest (negative) custom to largest SSL error
  64 #define SQUID_SSL_ERROR_MIN SQUID_X509_V_ERR_CERT_CHANGE
  65 #define SQUID_SSL_ERROR_MAX INT_MAX
  66
  67 namespace Ssl
  68 {
  69 /// Squid defined error code (<0),  an error code returned by SSL X509 api, or SSL_ERROR_NONE
  70 typedef int ssl_error_t;
  71
  72 typedef CbDataList<Ssl::ssl_error_t> Errors;
  73
  74 } //namespace Ssl
  75
  76 /// \ingroup ServerProtocolSSLAPI
  77 SSL_CTX *sslCreateServerContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *clientCA, const char *CAfile, const char *CApath, const char *CRLfile, const char *dhpath, const char *context);
  78
  79 /// \ingroup ServerProtocolSSLAPI
  80 SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile);
  81
  82 /// \ingroup ServerProtocolSSLAPI
  83 int ssl_read_method(int, char *, int);
  84
  85 /// \ingroup ServerProtocolSSLAPI
  86 int ssl_write_method(int, const char *, int);
  87
  88 /// \ingroup ServerProtocolSSLAPI
  89 void ssl_shutdown_method(SSL *ssl);
  90
  91
  92 /// \ingroup ServerProtocolSSLAPI
  93 const char *sslGetUserEmail(SSL *ssl);
  94
  95 /// \ingroup ServerProtocolSSLAPI
  96 typedef char const *SSLGETATTRIBUTE(SSL *, const char *);
  97
  98 /// \ingroup ServerProtocolSSLAPI
  99 SSLGETATTRIBUTE sslGetUserAttribute;
 100
 101 /// \ingroup ServerProtocolSSLAPI
 102 SSLGETATTRIBUTE sslGetCAAttribute;
 103
 104 /// \ingroup ServerProtocolSSLAPI
 105 const char *sslGetUserCertificatePEM(SSL *ssl);
 106
 107 /// \ingroup ServerProtocolSSLAPI
 108 const char *sslGetUserCertificateChainPEM(SSL *ssl);
 109
 110 namespace Ssl
 111 {
 112
 113 /**
 114   \ingroup ServerProtocolSSLAPI
 115   * A temporary self-signed certificate generated on squid start up, to be
 116   * used to sign the generated untrusted certificates.
 117 */
 118 extern X509_Pointer SquidCaCert;
 119
 120 /**
 121   \ingroup ServerProtocolSSLAPI
 122   * The key of the SquidCaCert certificate.
 123 */
 124 extern EVP_PKEY_Pointer SquidCaCertKey;
 125
 126 /**
 127   \ingroup ServerProtocolSSLAPI
 128   * Decide on the kind of certificate and generate a CA- or self-signed one
 129 */
 130 SSL_CTX * generateSslContext(CertificateProperties const &properties);
 131
 132 /**
 133   \ingroup ServerProtocolSSLAPI
 134   * Check if the certificate of the given context is still valid
 135   \param sslContext The context to check
 136   \param checkCert Also check if the context certificate matches this certificate
 137   \return true if the contexts certificate is valid, false otherwise
 138  */
 139 bool verifySslCertificate(SSL_CTX * sslContext, X509 *checkCert = NULL);
 140
 141 /**
 142   \ingroup ServerProtocolSSLAPI
 143   * Read private key and certificate from memory and generate SSL context
 144   * using their.
 145  */
 146 SSL_CTX * generateSslContextUsingPkeyAndCertFromMemory(const char * data);
 147
 148 /**
 149   \ingroup ServerProtocolSSLAPI
 150   * Adds the certificates in certList to the certificate chain of the SSL context
 151  */
 152 void addChainToSslContext(SSL_CTX *sslContext, STACK_OF(X509) *certList);
 153
 154 /**
 155  \ingroup ServerProtocolSSLAPI
 156  *  Read certificate, private key and any certificates which must be chained from files.
 157  * See also: Ssl::readCertAndPrivateKeyFromFiles function,  defined in gadgets.h
 158  * \param certFilename name of file with certificate and certificates which must be chainned.
 159  * \param keyFilename name of file with private key.
 160  */
 161 void readCertChainAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, X509_STACK_Pointer & chain, char const * certFilename, char const * keyFilename);
 162
 163 /**
 164    \ingroup ServerProtocolSSLAPI
 165    * Iterates over the X509 common and alternate names and to see if  matches with given data
 166    * using the check_func.
 167    \param peer_cert  The X509 cert to check
 168    \param check_data The data with which the X509 CNs compared
 169    \param check_func The function used to match X509 CNs. The CN data passed as ASN1_STRING data
 170    \return   1 if any of the certificate CN matches, 0 if none matches.
 171  */
 172 int matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data,  ASN1_STRING *cn_data));
 173
 174 /**
 175    \ingroup ServerProtocolSSLAPI
 176    * Check if the certificate is valid for a server
 177    \param cert  The X509 cert to check.
 178    \param server The server name.
 179    \return   true if the certificate is valid for the server or false otherwise.
 180  */
 181 bool checkX509ServerValidity(X509 *cert, const char *server);
 182
 183 /**
 184    \ingroup ServerProtocolSSLAPI
 185    * Convert a given ASN1_TIME to a string form.
 186    \param tm the time in ASN1_TIME form
 187    \param buf the buffer to write the output
 188    \param len write at most len bytes
 189    \return The number of bytes written
 190  */
 191 int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
 192
 193 /**
 194    \ingroup ServerProtocolSSLAPI
 195    * Sets the hostname for the Server Name Indication (SNI) TLS extension
 196    * if supported by the used openssl toolkit.
 197    \return true if SNI set false otherwise
 198 */
 199 bool setClientSNI(SSL *ssl, const char *fqdn);
 200
 201 /**
 202    \ingroup ServerProtocolSSLAPI
 203    * Returns CN from the certificate, suitable for use as a host name.
 204    * Uses static memory to temporary store the extracted name.
 205 */
 206 const char *CommonHostName(X509 *x509);
 207 } //namespace Ssl
 208
 209 #if _SQUID_MSWIN_
 210
 211 #if defined(__cplusplus)
 212
 213 /** \cond AUTODOCS-IGNORE */
 214 namespace Squid
 215 {
 216 /** \endcond */
 217
 218 /// \ingroup ServerProtocolSSLAPI
 219 inline
 220 int SSL_set_fd(SSL *ssl, int fd)
 221 {
 222     return ::SSL_set_fd(ssl, _get_osfhandle(fd));
 223 }
 224
 225 /// \ingroup ServerProtocolSSLAPI
 226 #define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
 227
 228 } /* namespace Squid */
 229
 230 #else
 231
 232 /// \ingroup ServerProtocolSSLAPI
 233 #define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
 234
 235 #endif /* __cplusplus */
 236
 237 #endif /* _SQUID_MSWIN_ */
 238
 239 #endif /* SQUID_SSL_SUPPORT_H */