src/ssl/support.h

   1
   2 /*
   3  * AUTHOR: Benno Rice
   4  *
   5  * SQUID Internet Object Cache  http://squid.nlanr.net/Squid/
   6  * ----------------------------------------------------------
   7  *
   8  *  Squid is the result of efforts by numerous individuals from the
   9  *  Internet community.  Development is led by Duane Wessels of the
  10  *  National Laboratory for Applied Network Research and funded by the
  11  *  National Science Foundation.  Squid is Copyrighted (C) 1998 by
  12  *  Duane Wessels and the University of California San Diego.  Please
  13  *  see the COPYRIGHT file for full details.  Squid incorporates
  14  *  software developed and/or copyrighted by other sources.  Please see
  15  *  the CREDITS file for full details.
  16  *
  17  *  This program is free software; you can redistribute it and/or modify
  18  *  it under the terms of the GNU General Public License as published by
  19  *  the Free Software Foundation; either version 2 of the License, or
  20  *  (at your option) any later version.
  21  *
  22  *  This program is distributed in the hope that it will be useful,
  23  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  24  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  25  *  GNU General Public License for more details.
  26  *
  27  *  You should have received a copy of the GNU General Public License
  28  *  along with this program; if not, write to the Free Software
  29  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  30  *
  31  */
  32
  33 #ifndef SQUID_SSL_SUPPORT_H
  34 #define SQUID_SSL_SUPPORT_H
  35
  36 #include "CbDataList.h"
  37 #include "ssl/gadgets.h"
  38
  39 #if HAVE_OPENSSL_SSL_H
  40 #include <openssl/ssl.h>
  41 #endif
  42 #if HAVE_OPENSSL_X509V3_H
  43 #include <openssl/x509v3.h>
  44 #endif
  45 #if HAVE_OPENSSL_ERR_H
  46 #include <openssl/err.h>
  47 #endif
  48 #if HAVE_OPENSSL_ENGINE_H
  49 #include <openssl/engine.h>
  50 #endif
  51
  52 /**
  53  \defgroup ServerProtocolSSLAPI Server-Side SSL API
  54  \ingroup ServerProtocol
  55  */
  56
  57 // Custom SSL errors; assumes all official errors are positive
  58 #define SQUID_X509_V_ERR_CERT_CHANGE -3
  59 #define SQUID_ERR_SSL_HANDSHAKE -2
  60 #define SQUID_X509_V_ERR_DOMAIN_MISMATCH -1
  61 // All SSL errors range: from smallest (negative) custom to largest SSL error
  62 #define SQUID_SSL_ERROR_MIN SQUID_X509_V_ERR_CERT_CHANGE
  63 #define SQUID_SSL_ERROR_MAX INT_MAX
  64
  65 namespace AnyP
  66 {
  67 class PortCfg;
  68 };
  69
  70 namespace Ssl
  71 {
  72 /// Squid defined error code (<0),  an error code returned by SSL X509 api, or SSL_ERROR_NONE
  73 typedef int ssl_error_t;
  74
  75 typedef CbDataList<Ssl::ssl_error_t> Errors;
  76
  77 } //namespace Ssl
  78
  79 /// \ingroup ServerProtocolSSLAPI
  80 SSL_CTX *sslCreateServerContext(AnyP::PortCfg &port);
  81
  82 /// \ingroup ServerProtocolSSLAPI
  83 SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile);
  84
  85 /// \ingroup ServerProtocolSSLAPI
  86 int ssl_read_method(int, char *, int);
  87
  88 /// \ingroup ServerProtocolSSLAPI
  89 int ssl_write_method(int, const char *, int);
  90
  91 /// \ingroup ServerProtocolSSLAPI
  92 void ssl_shutdown_method(SSL *ssl);
  93
  94 /// \ingroup ServerProtocolSSLAPI
  95 const char *sslGetUserEmail(SSL *ssl);
  96
  97 /// \ingroup ServerProtocolSSLAPI
  98 typedef char const *SSLGETATTRIBUTE(SSL *, const char *);
  99
 100 /// \ingroup ServerProtocolSSLAPI
 101 SSLGETATTRIBUTE sslGetUserAttribute;
 102
 103 /// \ingroup ServerProtocolSSLAPI
 104 SSLGETATTRIBUTE sslGetCAAttribute;
 105
 106 /// \ingroup ServerProtocolSSLAPI
 107 const char *sslGetUserCertificatePEM(SSL *ssl);
 108
 109 /// \ingroup ServerProtocolSSLAPI
 110 const char *sslGetUserCertificateChainPEM(SSL *ssl);
 111
 112 namespace Ssl
 113 {
 114 /**
 115   \ingroup ServerProtocolSSLAPI
 116  * Supported ssl-bump modes
 117  */
 118 enum BumpMode {bumpNone = 0, bumpClientFirst, bumpServerFirst, bumpEnd};
 119
 120 /**
 121  \ingroup  ServerProtocolSSLAPI
 122  * Short names for ssl-bump modes
 123  */
 124 extern const char *BumpModeStr[];
 125
 126 /**
 127  \ingroup ServerProtocolSSLAPI
 128  * Return the short name of the ssl-bump mode "bm"
 129  */
 130 inline const char *bumpMode(int bm)
 131 {
 132     return (0 <= bm && bm < Ssl::bumpEnd) ? Ssl::BumpModeStr[bm] : NULL;
 133 }
 134
 135 /**
 136  \ingroup ServerProtocolSSLAPI
 137  * Parses the SSL flags.
 138  */
 139 long parse_flags(const char *flags);
 140
 141 /**
 142  \ingroup ServerProtocolSSLAPI
 143  * Parses the SSL options.
 144  */
 145 long parse_options(const char *options);
 146
 147 /**
 148  \ingroup ServerProtocolSSLAPI
 149  * Load a CRLs list stored in a file
 150  */
 151 STACK_OF(X509_CRL) *loadCrl(const char *CRLFile, long &flags);
 152
 153 /**
 154  \ingroup ServerProtocolSSLAPI
 155  * Load DH params from file
 156  */
 157 DH *readDHParams(const char *dhfile);
 158
 159 /**
 160  \ingroup ServerProtocolSSLAPI
 161  * Compute the Ssl::ContextMethod (SSL_METHOD) from SSL version
 162  */
 163 ContextMethod contextMethod(int version);
 164
 165 /**
 166   \ingroup ServerProtocolSSLAPI
 167   * Generate a certificate to be used as untrusted signing certificate, based on a trusted CA
 168 */
 169 bool generateUntrustedCert(X509_Pointer & untrustedCert, EVP_PKEY_Pointer & untrustedPkey, X509_Pointer const & cert, EVP_PKEY_Pointer const & pkey);
 170
 171 /**
 172   \ingroup ServerProtocolSSLAPI
 173   * Decide on the kind of certificate and generate a CA- or self-signed one
 174 */
 175 SSL_CTX * generateSslContext(CertificateProperties const &properties, AnyP::PortCfg &port);
 176
 177 /**
 178   \ingroup ServerProtocolSSLAPI
 179   * Check if the certificate of the given context is still valid
 180   \param sslContext The context to check
 181   \param properties Check if the context certificate matches the given properties
 182   \return true if the contexts certificate is valid, false otherwise
 183  */
 184 bool verifySslCertificate(SSL_CTX * sslContext,  CertificateProperties const &properties);
 185
 186 /**
 187   \ingroup ServerProtocolSSLAPI
 188   * Read private key and certificate from memory and generate SSL context
 189   * using their.
 190  */
 191 SSL_CTX * generateSslContextUsingPkeyAndCertFromMemory(const char * data, AnyP::PortCfg &port);
 192
 193 /**
 194   \ingroup ServerProtocolSSLAPI
 195   * Adds the certificates in certList to the certificate chain of the SSL context
 196  */
 197 void addChainToSslContext(SSL_CTX *sslContext, STACK_OF(X509) *certList);
 198
 199 /**
 200  \ingroup ServerProtocolSSLAPI
 201  *  Read certificate, private key and any certificates which must be chained from files.
 202  * See also: Ssl::readCertAndPrivateKeyFromFiles function,  defined in gadgets.h
 203  * \param certFilename name of file with certificate and certificates which must be chainned.
 204  * \param keyFilename name of file with private key.
 205  */
 206 void readCertChainAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, X509_STACK_Pointer & chain, char const * certFilename, char const * keyFilename);
 207
 208 /**
 209    \ingroup ServerProtocolSSLAPI
 210    * Iterates over the X509 common and alternate names and to see if  matches with given data
 211    * using the check_func.
 212    \param peer_cert  The X509 cert to check
 213    \param check_data The data with which the X509 CNs compared
 214    \param check_func The function used to match X509 CNs. The CN data passed as ASN1_STRING data
 215    \return   1 if any of the certificate CN matches, 0 if none matches.
 216  */
 217 int matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data,  ASN1_STRING *cn_data));
 218
 219 /**
 220    \ingroup ServerProtocolSSLAPI
 221    * Check if the certificate is valid for a server
 222    \param cert  The X509 cert to check.
 223    \param server The server name.
 224    \return   true if the certificate is valid for the server or false otherwise.
 225  */
 226 bool checkX509ServerValidity(X509 *cert, const char *server);
 227
 228 /**
 229    \ingroup ServerProtocolSSLAPI
 230    * Convert a given ASN1_TIME to a string form.
 231    \param tm the time in ASN1_TIME form
 232    \param buf the buffer to write the output
 233    \param len write at most len bytes
 234    \return The number of bytes written
 235  */
 236 int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
 237
 238 /**
 239    \ingroup ServerProtocolSSLAPI
 240    * Sets the hostname for the Server Name Indication (SNI) TLS extension
 241    * if supported by the used openssl toolkit.
 242    \return true if SNI set false otherwise
 243 */
 244 bool setClientSNI(SSL *ssl, const char *fqdn);
 245 } //namespace Ssl
 246
 247 #if _SQUID_MSWIN_
 248
 249 #if defined(__cplusplus)
 250
 251 /** \cond AUTODOCS-IGNORE */
 252 namespace Squid
 253 {
 254 /** \endcond */
 255
 256 /// \ingroup ServerProtocolSSLAPI
 257 inline
 258 int SSL_set_fd(SSL *ssl, int fd)
 259 {
 260     return ::SSL_set_fd(ssl, _get_osfhandle(fd));
 261 }
 262
 263 /// \ingroup ServerProtocolSSLAPI
 264 #define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
 265
 266 } /* namespace Squid */
 267
 268 #else
 269
 270 /// \ingroup ServerProtocolSSLAPI
 271 #define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
 272
 273 #endif /* __cplusplus */
 274
 275 #endif /* _SQUID_MSWIN_ */
 276
 277 #endif /* SQUID_SSL_SUPPORT_H */