2 * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 83 SSL accelerator support */
11 #ifndef SQUID_SSL_SUPPORT_H
12 #define SQUID_SSL_SUPPORT_H
14 #include "base/CbDataList.h"
16 #include "security/forward.h"
17 #include "ssl/gadgets.h"
19 #if HAVE_OPENSSL_X509V3_H
20 #include <openssl/x509v3.h>
22 #if HAVE_OPENSSL_ERR_H
23 #include <openssl/err.h>
25 #if HAVE_OPENSSL_ENGINE_H
26 #include <openssl/engine.h>
31 \defgroup ServerProtocolSSLAPI Server-Side SSL API
32 \ingroup ServerProtocol
35 // Custom SSL errors; assumes all official errors are positive
36 #define SQUID_X509_V_ERR_INFINITE_VALIDATION -4
37 #define SQUID_X509_V_ERR_CERT_CHANGE -3
38 #define SQUID_ERR_SSL_HANDSHAKE -2
39 #define SQUID_X509_V_ERR_DOMAIN_MISMATCH -1
40 // All SSL errors range: from smallest (negative) custom to largest SSL error
41 #define SQUID_SSL_ERROR_MIN SQUID_X509_V_ERR_CERT_CHANGE
42 #define SQUID_SSL_ERROR_MAX INT_MAX
44 // Maximum certificate validation callbacks. OpenSSL versions exceeding this
45 // limit are deemed stuck in an infinite validation loop (OpenSSL bug #3090)
46 // and will trigger the SQUID_X509_V_ERR_INFINITE_VALIDATION error.
47 // Can be set to a number up to UINT32_MAX
48 #ifndef SQUID_CERT_VALIDATION_ITERATION_MAX
49 #define SQUID_CERT_VALIDATION_ITERATION_MAX 16384
59 /// initialize the SSL library global state.
60 /// call before generating any SSL context
63 /// Squid defined error code (<0), an error code returned by SSL X509 api, or SSL_ERROR_NONE
64 typedef int ssl_error_t
;
66 typedef CbDataList
<Ssl::ssl_error_t
> Errors
;
68 /// Creates SSL Client connection structure and initializes SSL I/O (Comm and BIO).
69 /// On errors, emits DBG_IMPORTANT with details and returns NULL.
70 SSL
*CreateClient(Security::ContextPtr sslContext
, const int fd
, const char *squidCtx
);
72 /// Creates SSL Server connection structure and initializes SSL I/O (Comm and BIO).
73 /// On errors, emits DBG_IMPORTANT with details and returns NULL.
74 SSL
*CreateServer(Security::ContextPtr sslContext
, const int fd
, const char *squidCtx
);
76 /// An SSL certificate-related error.
77 /// Pairs an error code with the certificate experiencing the error.
81 ssl_error_t code
; ///< certificate error code
82 Security::CertPointer cert
; ///< certificate with the above error code
83 CertError(ssl_error_t anErr
, X509
*aCert
);
84 CertError(CertError
const &err
);
85 CertError
& operator = (const CertError
&old
);
86 bool operator == (const CertError
&ce
) const;
87 bool operator != (const CertError
&ce
) const;
90 /// Holds a list of certificate SSL errors
91 typedef CbDataList
<Ssl::CertError
> CertErrors
;
95 /// \ingroup ServerProtocolSSLAPI
96 Security::ContextPtr
sslCreateServerContext(AnyP::PortCfg
&port
);
98 /// \ingroup ServerProtocolSSLAPI
99 Security::ContextPtr
sslCreateClientContext(Security::PeerOptions
&, long options
, long flags
);
101 /// \ingroup ServerProtocolSSLAPI
102 int ssl_read_method(int, char *, int);
104 /// \ingroup ServerProtocolSSLAPI
105 int ssl_write_method(int, const char *, int);
107 /// \ingroup ServerProtocolSSLAPI
108 void ssl_shutdown_method(SSL
*ssl
);
110 /// \ingroup ServerProtocolSSLAPI
111 const char *sslGetUserEmail(SSL
*ssl
);
113 /// \ingroup ServerProtocolSSLAPI
114 const char *sslGetUserAttribute(SSL
*ssl
, const char *attribute_name
);
116 /// \ingroup ServerProtocolSSLAPI
117 const char *sslGetCAAttribute(SSL
*ssl
, const char *attribute_name
);
119 /// \ingroup ServerProtocolSSLAPI
120 const char *sslGetUserCertificatePEM(SSL
*ssl
);
122 /// \ingroup ServerProtocolSSLAPI
123 const char *sslGetUserCertificateChainPEM(SSL
*ssl
);
127 /// \ingroup ServerProtocolSSLAPI
128 typedef char const *GETX509ATTRIBUTE(X509
*, const char *);
130 /// \ingroup ServerProtocolSSLAPI
131 GETX509ATTRIBUTE GetX509UserAttribute
;
133 /// \ingroup ServerProtocolSSLAPI
134 GETX509ATTRIBUTE GetX509CAAttribute
;
136 /// \ingroup ServerProtocolSSLAPI
137 GETX509ATTRIBUTE GetX509Fingerprint
;
139 extern const EVP_MD
*DefaultSignHash
;
142 \ingroup ServerProtocolSSLAPI
143 * Supported ssl-bump modes
145 enum BumpMode
{bumpNone
= 0, bumpClientFirst
, bumpServerFirst
, bumpPeek
, bumpStare
, bumpBump
, bumpSplice
, bumpTerminate
, /*bumpErr,*/ bumpEnd
};
147 enum BumpStep
{bumpStep1
, bumpStep2
, bumpStep3
};
150 \ingroup ServerProtocolSSLAPI
151 * Short names for ssl-bump modes
153 extern const char *BumpModeStr
[];
156 \ingroup ServerProtocolSSLAPI
157 * Return the short name of the ssl-bump mode "bm"
159 inline const char *bumpMode(int bm
)
161 return (0 <= bm
&& bm
< Ssl::bumpEnd
) ? Ssl::BumpModeStr
[bm
] : NULL
;
165 \ingroup ServerProtocolSSLAPI
166 * Generate a certificate to be used as untrusted signing certificate, based on a trusted CA
168 bool generateUntrustedCert(Security::CertPointer
& untrustedCert
, EVP_PKEY_Pointer
& untrustedPkey
, Security::CertPointer
const & cert
, EVP_PKEY_Pointer
const & pkey
);
170 /// certificates indexed by issuer name
171 typedef std::multimap
<SBuf
, X509
*> CertsIndexedList
;
174 \ingroup ServerProtocolSSLAPI
175 * Load PEM-encoded certificates from the given file.
177 bool loadCerts(const char *certsFile
, Ssl::CertsIndexedList
&list
);
180 \ingroup ServerProtocolSSLAPI
181 * Load PEM-encoded certificates to the squid untrusteds certificates
182 * internal DB from the given file.
184 bool loadSquidUntrusted(const char *path
);
187 \ingroup ServerProtocolSSLAPI
188 * Removes all certificates from squid untrusteds certificates
189 * internal DB and frees all memory
191 void unloadSquidUntrusted();
194 \ingroup ServerProtocolSSLAPI
195 * Decide on the kind of certificate and generate a CA- or self-signed one
197 Security::ContextPtr
generateSslContext(CertificateProperties
const &properties
, AnyP::PortCfg
&port
);
200 \ingroup ServerProtocolSSLAPI
201 * Check if the certificate of the given context is still valid
202 \param sslContext The context to check
203 \param properties Check if the context certificate matches the given properties
204 \return true if the contexts certificate is valid, false otherwise
206 bool verifySslCertificate(Security::ContextPtr sslContext
, CertificateProperties
const &properties
);
209 \ingroup ServerProtocolSSLAPI
210 * Read private key and certificate from memory and generate SSL context
213 Security::ContextPtr
generateSslContextUsingPkeyAndCertFromMemory(const char * data
, AnyP::PortCfg
&port
);
216 \ingroup ServerProtocolSSLAPI
217 * Create an SSL context using the provided certificate and key
219 Security::ContextPtr
createSSLContext(Security::CertPointer
& x509
, Ssl::EVP_PKEY_Pointer
& pkey
, AnyP::PortCfg
&port
);
222 \ingroup ServerProtocolSSLAPI
223 * Generates a certificate and a private key using provided properies and set it
226 bool configureSSL(SSL
*ssl
, CertificateProperties
const &properties
, AnyP::PortCfg
&port
);
229 \ingroup ServerProtocolSSLAPI
230 * Read private key and certificate from memory and set it to SSL object
233 bool configureSSLUsingPkeyAndCertFromMemory(SSL
*ssl
, const char *data
, AnyP::PortCfg
&port
);
236 \ingroup ServerProtocolSSLAPI
237 * Adds the certificates in certList to the certificate chain of the SSL context
239 void addChainToSslContext(Security::ContextPtr sslContext
, STACK_OF(X509
) *certList
);
242 \ingroup ServerProtocolSSLAPI
243 * Configures sslContext to use squid untrusted certificates internal list
244 * to complete certificate chains when verifies SSL servers certificates.
246 void useSquidUntrusted(SSL_CTX
*sslContext
);
249 \ingroup ServerProtocolSSLAPI
250 * Read certificate, private key and any certificates which must be chained from files.
251 * See also: Ssl::readCertAndPrivateKeyFromFiles function, defined in gadgets.h
252 * \param certFilename name of file with certificate and certificates which must be chainned.
253 * \param keyFilename name of file with private key.
255 void readCertChainAndPrivateKeyFromFiles(Security::CertPointer
& cert
, EVP_PKEY_Pointer
& pkey
, X509_STACK_Pointer
& chain
, char const * certFilename
, char const * keyFilename
);
258 \ingroup ServerProtocolSSLAPI
259 * Iterates over the X509 common and alternate names and to see if matches with given data
260 * using the check_func.
261 \param peer_cert The X509 cert to check
262 \param check_data The data with which the X509 CNs compared
263 \param check_func The function used to match X509 CNs. The CN data passed as ASN1_STRING data
264 \return 1 if any of the certificate CN matches, 0 if none matches.
266 int matchX509CommonNames(X509
*peer_cert
, void *check_data
, int (*check_func
)(void *check_data
, ASN1_STRING
*cn_data
));
269 \ingroup ServerProtocolSSLAPI
270 * Check if the certificate is valid for a server
271 \param cert The X509 cert to check.
272 \param server The server name.
273 \return true if the certificate is valid for the server or false otherwise.
275 bool checkX509ServerValidity(X509
*cert
, const char *server
);
278 \ingroup ServerProtocolSSLAPI
279 * Convert a given ASN1_TIME to a string form.
280 \param tm the time in ASN1_TIME form
281 \param buf the buffer to write the output
282 \param len write at most len bytes
283 \return The number of bytes written
285 int asn1timeToString(ASN1_TIME
*tm
, char *buf
, int len
);
288 \ingroup ServerProtocolSSLAPI
289 * Sets the hostname for the Server Name Indication (SNI) TLS extension
290 * if supported by the used openssl toolkit.
291 \return true if SNI set false otherwise
293 bool setClientSNI(SSL
*ssl
, const char *fqdn
);
296 \ingroup ServerProtocolSSLAPI
297 * Initializes the shared session cache if configured
299 void initialize_session_cache();
302 \ingroup ServerProtocolSSLAPI
303 * Destroy the shared session cache if configured
305 void destruct_session_cache();
310 #if defined(__cplusplus)
312 /** \cond AUTODOCS-IGNORE */
317 /// \ingroup ServerProtocolSSLAPI
319 int SSL_set_fd(SSL
*ssl
, int fd
)
321 return ::SSL_set_fd(ssl
, _get_osfhandle(fd
));
324 /// \ingroup ServerProtocolSSLAPI
325 #define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
327 } /* namespace Squid */
331 /// \ingroup ServerProtocolSSLAPI
332 #define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
334 #endif /* __cplusplus */
336 #endif /* _SQUID_WINDOWS_ */
338 #endif /* SQUID_SSL_SUPPORT_H */