src/ssl/support.h

   1 /*
   2  * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 /* DEBUG: section 83    SSL accelerator support */
  10
  11 #ifndef SQUID_SSL_SUPPORT_H
  12 #define SQUID_SSL_SUPPORT_H
  13
  14 #include "base/CbDataList.h"
  15 #include "ssl/gadgets.h"
  16
  17 #if HAVE_OPENSSL_SSL_H
  18 #include <openssl/ssl.h>
  19 #endif
  20 #if HAVE_OPENSSL_X509V3_H
  21 #include <openssl/x509v3.h>
  22 #endif
  23 #if HAVE_OPENSSL_ERR_H
  24 #include <openssl/err.h>
  25 #endif
  26 #if HAVE_OPENSSL_ENGINE_H
  27 #include <openssl/engine.h>
  28 #endif
  29
  30 /**
  31  \defgroup ServerProtocolSSLAPI Server-Side SSL API
  32  \ingroup ServerProtocol
  33  */
  34
  35 // Custom SSL errors; assumes all official errors are positive
  36 #define SQUID_X509_V_ERR_INFINITE_VALIDATION -4
  37 #define SQUID_X509_V_ERR_CERT_CHANGE -3
  38 #define SQUID_ERR_SSL_HANDSHAKE -2
  39 #define SQUID_X509_V_ERR_DOMAIN_MISMATCH -1
  40 // All SSL errors range: from smallest (negative) custom to largest SSL error
  41 #define SQUID_SSL_ERROR_MIN SQUID_X509_V_ERR_CERT_CHANGE
  42 #define SQUID_SSL_ERROR_MAX INT_MAX
  43
  44 // Maximum certificate validation callbacks. OpenSSL versions exceeding this
  45 // limit are deemed stuck in an infinite validation loop (OpenSSL bug #3090)
  46 // and will trigger the SQUID_X509_V_ERR_INFINITE_VALIDATION error.
  47 // Can be set to a number up to UINT32_MAX
  48 #ifndef SQUID_CERT_VALIDATION_ITERATION_MAX
  49 #define SQUID_CERT_VALIDATION_ITERATION_MAX 16384
  50 #endif
  51
  52 namespace AnyP
  53 {
  54 class PortCfg;
  55 };
  56
  57 namespace Ssl
  58 {
  59 /// Squid defined error code (<0),  an error code returned by SSL X509 api, or SSL_ERROR_NONE
  60 typedef int ssl_error_t;
  61
  62 typedef CbDataList<Ssl::ssl_error_t> Errors;
  63
  64 /// Creates SSL Client connection structure and initializes SSL I/O (Comm and BIO).
  65 /// On errors, emits DBG_IMPORTANT with details and returns NULL.
  66 SSL *CreateClient(SSL_CTX *sslContext, const int fd, const char *squidCtx);
  67
  68 /// Creates SSL Server connection structure and initializes SSL I/O (Comm and BIO).
  69 /// On errors, emits DBG_IMPORTANT with details and returns NULL.
  70 SSL *CreateServer(SSL_CTX *sslContext, const int fd, const char *squidCtx);
  71
  72 /// An SSL certificate-related error.
  73 /// Pairs an error code with the certificate experiencing the error.
  74 class CertError
  75 {
  76 public:
  77     ssl_error_t code; ///< certificate error code
  78     X509_Pointer cert; ///< certificate with the above error code
  79     CertError(ssl_error_t anErr, X509 *aCert);
  80     CertError(CertError const &err);
  81     CertError & operator = (const CertError &old);
  82     bool operator == (const CertError &ce) const;
  83     bool operator != (const CertError &ce) const;
  84 };
  85
  86 /// Holds a list of certificate SSL errors
  87 typedef CbDataList<Ssl::CertError> CertErrors;
  88
  89 } //namespace Ssl
  90
  91 /// \ingroup ServerProtocolSSLAPI
  92 SSL_CTX *sslCreateServerContext(AnyP::PortCfg &port);
  93
  94 /// \ingroup ServerProtocolSSLAPI
  95 SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, long options, long flags, const char *CAfile, const char *CApath, const char *CRLfile);
  96
  97 /// \ingroup ServerProtocolSSLAPI
  98 int ssl_read_method(int, char *, int);
  99
 100 /// \ingroup ServerProtocolSSLAPI
 101 int ssl_write_method(int, const char *, int);
 102
 103 /// \ingroup ServerProtocolSSLAPI
 104 void ssl_shutdown_method(SSL *ssl);
 105
 106 /// \ingroup ServerProtocolSSLAPI
 107 const char *sslGetUserEmail(SSL *ssl);
 108
 109 /// \ingroup ServerProtocolSSLAPI
 110 const char *sslGetUserAttribute(SSL *ssl, const char *attribute_name);
 111
 112 /// \ingroup ServerProtocolSSLAPI
 113 const char *sslGetCAAttribute(SSL *ssl, const char *attribute_name);
 114
 115 /// \ingroup ServerProtocolSSLAPI
 116 const char *sslGetUserCertificatePEM(SSL *ssl);
 117
 118 /// \ingroup ServerProtocolSSLAPI
 119 const char *sslGetUserCertificateChainPEM(SSL *ssl);
 120
 121 namespace Ssl
 122 {
 123 /// \ingroup ServerProtocolSSLAPI
 124 typedef char const *GETX509ATTRIBUTE(X509 *, const char *);
 125
 126 /// \ingroup ServerProtocolSSLAPI
 127 GETX509ATTRIBUTE GetX509UserAttribute;
 128
 129 /// \ingroup ServerProtocolSSLAPI
 130 GETX509ATTRIBUTE GetX509CAAttribute;
 131
 132 /// \ingroup ServerProtocolSSLAPI
 133 GETX509ATTRIBUTE GetX509Fingerprint;
 134
 135 extern const EVP_MD *DefaultSignHash;
 136
 137 /**
 138   \ingroup ServerProtocolSSLAPI
 139  * Supported ssl-bump modes
 140  */
 141 enum BumpMode {bumpNone = 0, bumpClientFirst, bumpServerFirst, bumpPeek, bumpStare, bumpBump, bumpSplice, bumpTerminate, /*bumpErr,*/ bumpEnd};
 142
 143 enum BumpStep {bumpStep1, bumpStep2, bumpStep3};
 144
 145 /**
 146  \ingroup  ServerProtocolSSLAPI
 147  * Short names for ssl-bump modes
 148  */
 149 extern const char *BumpModeStr[];
 150
 151 /**
 152  \ingroup ServerProtocolSSLAPI
 153  * Return the short name of the ssl-bump mode "bm"
 154  */
 155 inline const char *bumpMode(int bm)
 156 {
 157     return (0 <= bm && bm < Ssl::bumpEnd) ? Ssl::BumpModeStr[bm] : NULL;
 158 }
 159
 160 /**
 161  \ingroup ServerProtocolSSLAPI
 162  * Parses the SSL flags.
 163  */
 164 long parse_flags(const char *flags);
 165
 166 /**
 167  \ingroup ServerProtocolSSLAPI
 168  * Load a CRLs list stored in a file
 169  */
 170 STACK_OF(X509_CRL) *loadCrl(const char *CRLFile, long &flags);
 171
 172 /**
 173  \ingroup ServerProtocolSSLAPI
 174  * Load DH params from file
 175  */
 176 DH *readDHParams(const char *dhfile);
 177
 178 /**
 179  \ingroup ServerProtocolSSLAPI
 180  * Compute the Ssl::ContextMethod (SSL_METHOD) from SSL version
 181  */
 182 ContextMethod contextMethod(int version);
 183
 184 /**
 185   \ingroup ServerProtocolSSLAPI
 186   * Generate a certificate to be used as untrusted signing certificate, based on a trusted CA
 187 */
 188 bool generateUntrustedCert(X509_Pointer & untrustedCert, EVP_PKEY_Pointer & untrustedPkey, X509_Pointer const & cert, EVP_PKEY_Pointer const & pkey);
 189
 190 /**
 191   \ingroup ServerProtocolSSLAPI
 192   * Decide on the kind of certificate and generate a CA- or self-signed one
 193 */
 194 SSL_CTX * generateSslContext(CertificateProperties const &properties, AnyP::PortCfg &port);
 195
 196 /**
 197   \ingroup ServerProtocolSSLAPI
 198   * Check if the certificate of the given context is still valid
 199   \param sslContext The context to check
 200   \param properties Check if the context certificate matches the given properties
 201   \return true if the contexts certificate is valid, false otherwise
 202  */
 203 bool verifySslCertificate(SSL_CTX * sslContext,  CertificateProperties const &properties);
 204
 205 /**
 206   \ingroup ServerProtocolSSLAPI
 207   * Read private key and certificate from memory and generate SSL context
 208   * using their.
 209  */
 210 SSL_CTX * generateSslContextUsingPkeyAndCertFromMemory(const char * data, AnyP::PortCfg &port);
 211
 212 /**
 213   \ingroup ServerProtocolSSLAPI
 214   * Create an SSL context using the provided certificate and key
 215  */
 216 SSL_CTX * createSSLContext(Ssl::X509_Pointer & x509, Ssl::EVP_PKEY_Pointer & pkey, AnyP::PortCfg &port);
 217
 218 /**
 219   \ingroup ServerProtocolSSLAPI
 220   * Generates a certificate and a private key using provided properies and set it
 221   * to SSL object.
 222  */
 223 bool configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port);
 224
 225 /**
 226   \ingroup ServerProtocolSSLAPI
 227   * Read private key and certificate from memory and set it to SSL object
 228   * using their.
 229  */
 230 bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port);
 231
 232 /**
 233   \ingroup ServerProtocolSSLAPI
 234   * Adds the certificates in certList to the certificate chain of the SSL context
 235  */
 236 void addChainToSslContext(SSL_CTX *sslContext, STACK_OF(X509) *certList);
 237
 238 /**
 239  \ingroup ServerProtocolSSLAPI
 240  *  Read certificate, private key and any certificates which must be chained from files.
 241  * See also: Ssl::readCertAndPrivateKeyFromFiles function,  defined in gadgets.h
 242  * \param certFilename name of file with certificate and certificates which must be chainned.
 243  * \param keyFilename name of file with private key.
 244  */
 245 void readCertChainAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, X509_STACK_Pointer & chain, char const * certFilename, char const * keyFilename);
 246
 247 /**
 248    \ingroup ServerProtocolSSLAPI
 249    * Iterates over the X509 common and alternate names and to see if  matches with given data
 250    * using the check_func.
 251    \param peer_cert  The X509 cert to check
 252    \param check_data The data with which the X509 CNs compared
 253    \param check_func The function used to match X509 CNs. The CN data passed as ASN1_STRING data
 254    \return   1 if any of the certificate CN matches, 0 if none matches.
 255  */
 256 int matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data,  ASN1_STRING *cn_data));
 257
 258 /**
 259    \ingroup ServerProtocolSSLAPI
 260    * Check if the certificate is valid for a server
 261    \param cert  The X509 cert to check.
 262    \param server The server name.
 263    \return   true if the certificate is valid for the server or false otherwise.
 264  */
 265 bool checkX509ServerValidity(X509 *cert, const char *server);
 266
 267 /**
 268    \ingroup ServerProtocolSSLAPI
 269    * Convert a given ASN1_TIME to a string form.
 270    \param tm the time in ASN1_TIME form
 271    \param buf the buffer to write the output
 272    \param len write at most len bytes
 273    \return The number of bytes written
 274  */
 275 int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
 276
 277 /**
 278    \ingroup ServerProtocolSSLAPI
 279    * Sets the hostname for the Server Name Indication (SNI) TLS extension
 280    * if supported by the used openssl toolkit.
 281    \return true if SNI set false otherwise
 282 */
 283 bool setClientSNI(SSL *ssl, const char *fqdn);
 284
 285 int OpenSSLtoSquidSSLVersion(int sslVersion);
 286
 287 #if OPENSSL_VERSION_NUMBER < 0x00909000L
 288 SSL_METHOD *method(int version);
 289 #else
 290 const SSL_METHOD *method(int version);
 291 #endif
 292
 293 const SSL_METHOD *serverMethod(int version);
 294
 295 /**
 296    \ingroup ServerProtocolSSLAPI
 297    * Initializes the shared session cache if configured
 298 */
 299 void initialize_session_cache();
 300
 301 /**
 302    \ingroup ServerProtocolSSLAPI
 303    * Destroy the shared session cache if configured
 304 */
 305 void destruct_session_cache();
 306 } //namespace Ssl
 307
 308 #if _SQUID_WINDOWS_
 309
 310 #if defined(__cplusplus)
 311
 312 /** \cond AUTODOCS-IGNORE */
 313 namespace Squid
 314 {
 315 /** \endcond */
 316
 317 /// \ingroup ServerProtocolSSLAPI
 318 inline
 319 int SSL_set_fd(SSL *ssl, int fd)
 320 {
 321     return ::SSL_set_fd(ssl, _get_osfhandle(fd));
 322 }
 323
 324 /// \ingroup ServerProtocolSSLAPI
 325 #define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
 326
 327 } /* namespace Squid */
 328
 329 #else
 330
 331 /// \ingroup ServerProtocolSSLAPI
 332 #define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
 333
 334 #endif /* __cplusplus */
 335
 336 #endif /* _SQUID_WINDOWS_ */
 337
 338 #endif /* SQUID_SSL_SUPPORT_H */
 339