src/ssl/support.h

   1
   2 /*
   3  * AUTHOR: Benno Rice
   4  *
   5  * SQUID Internet Object Cache  http://squid.nlanr.net/Squid/
   6  * ----------------------------------------------------------
   7  *
   8  *  Squid is the result of efforts by numerous individuals from the
   9  *  Internet community.  Development is led by Duane Wessels of the
  10  *  National Laboratory for Applied Network Research and funded by the
  11  *  National Science Foundation.  Squid is Copyrighted (C) 1998 by
  12  *  Duane Wessels and the University of California San Diego.  Please
  13  *  see the COPYRIGHT file for full details.  Squid incorporates
  14  *  software developed and/or copyrighted by other sources.  Please see
  15  *  the CREDITS file for full details.
  16  *
  17  *  This program is free software; you can redistribute it and/or modify
  18  *  it under the terms of the GNU General Public License as published by
  19  *  the Free Software Foundation; either version 2 of the License, or
  20  *  (at your option) any later version.
  21  *
  22  *  This program is distributed in the hope that it will be useful,
  23  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  24  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  25  *  GNU General Public License for more details.
  26  *
  27  *  You should have received a copy of the GNU General Public License
  28  *  along with this program; if not, write to the Free Software
  29  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  30  *
  31  */
  32
  33 #ifndef SQUID_SSL_SUPPORT_H
  34 #define SQUID_SSL_SUPPORT_H
  35
  36 #include "CbDataList.h"
  37 #include "ssl/gadgets.h"
  38
  39 #if HAVE_OPENSSL_SSL_H
  40 #include <openssl/ssl.h>
  41 #endif
  42 #if HAVE_OPENSSL_X509V3_H
  43 #include <openssl/x509v3.h>
  44 #endif
  45 #if HAVE_OPENSSL_ERR_H
  46 #include <openssl/err.h>
  47 #endif
  48 #if HAVE_OPENSSL_ENGINE_H
  49 #include <openssl/engine.h>
  50 #endif
  51
  52 /**
  53  \defgroup ServerProtocolSSLAPI Server-Side SSL API
  54  \ingroup ServerProtocol
  55  */
  56
  57 // Custom SSL errors; assumes all official errors are positive
  58 #define SQUID_X509_V_ERR_INFINITE_VALIDATION -4
  59 #define SQUID_X509_V_ERR_CERT_CHANGE -3
  60 #define SQUID_ERR_SSL_HANDSHAKE -2
  61 #define SQUID_X509_V_ERR_DOMAIN_MISMATCH -1
  62 // All SSL errors range: from smallest (negative) custom to largest SSL error
  63 #define SQUID_SSL_ERROR_MIN SQUID_X509_V_ERR_CERT_CHANGE
  64 #define SQUID_SSL_ERROR_MAX INT_MAX
  65
  66 // Maximum certificate validation callbacks. OpenSSL versions exceeding this
  67 // limit are deemed stuck in an infinite validation loop (OpenSSL bug #3090)
  68 // and will trigger the SQUID_X509_V_ERR_INFINITE_VALIDATION error.
  69 // Can be set to a number up to UINT32_MAX
  70 #ifndef SQUID_CERT_VALIDATION_ITERATION_MAX
  71 #define SQUID_CERT_VALIDATION_ITERATION_MAX 16384
  72 #endif
  73
  74 namespace AnyP
  75 {
  76 class PortCfg;
  77 };
  78
  79 namespace Ssl
  80 {
  81 /// Squid defined error code (<0),  an error code returned by SSL X509 api, or SSL_ERROR_NONE
  82 typedef int ssl_error_t;
  83
  84 typedef CbDataList<Ssl::ssl_error_t> Errors;
  85
  86 /// An SSL certificate-related error.
  87 /// Pairs an error code with the certificate experiencing the error.
  88 class CertError
  89 {
  90 public:
  91     ssl_error_t code; ///< certificate error code
  92     X509_Pointer cert; ///< certificate with the above error code
  93     CertError(ssl_error_t anErr, X509 *aCert);
  94     CertError(CertError const &err);
  95     CertError & operator = (const CertError &old);
  96     bool operator == (const CertError &ce) const;
  97     bool operator != (const CertError &ce) const;
  98 };
  99
 100 /// Holds a list of certificate SSL errors
 101 typedef CbDataList<Ssl::CertError> CertErrors;
 102
 103 } //namespace Ssl
 104
 105 /// \ingroup ServerProtocolSSLAPI
 106 SSL_CTX *sslCreateServerContext(AnyP::PortCfg &port);
 107
 108 /// \ingroup ServerProtocolSSLAPI
 109 SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile);
 110
 111 /// \ingroup ServerProtocolSSLAPI
 112 int ssl_read_method(int, char *, int);
 113
 114 /// \ingroup ServerProtocolSSLAPI
 115 int ssl_write_method(int, const char *, int);
 116
 117 /// \ingroup ServerProtocolSSLAPI
 118 void ssl_shutdown_method(SSL *ssl);
 119
 120 /// \ingroup ServerProtocolSSLAPI
 121 const char *sslGetUserEmail(SSL *ssl);
 122
 123 /// \ingroup ServerProtocolSSLAPI
 124 const char *sslGetUserAttribute(SSL *ssl, const char *attribute_name);
 125
 126 /// \ingroup ServerProtocolSSLAPI
 127 const char *sslGetCAAttribute(SSL *ssl, const char *attribute_name);
 128
 129 /// \ingroup ServerProtocolSSLAPI
 130 const char *sslGetUserCertificatePEM(SSL *ssl);
 131
 132 /// \ingroup ServerProtocolSSLAPI
 133 const char *sslGetUserCertificateChainPEM(SSL *ssl);
 134
 135 namespace Ssl
 136 {
 137 /// \ingroup ServerProtocolSSLAPI
 138 typedef char const *GETX509ATTRIBUTE(X509 *, const char *);
 139
 140 /// \ingroup ServerProtocolSSLAPI
 141 GETX509ATTRIBUTE GetX509UserAttribute;
 142
 143 /// \ingroup ServerProtocolSSLAPI
 144 GETX509ATTRIBUTE GetX509CAAttribute;
 145
 146 /// \ingroup ServerProtocolSSLAPI
 147 GETX509ATTRIBUTE GetX509Fingerprint;
 148
 149 /**
 150   \ingroup ServerProtocolSSLAPI
 151  * Supported ssl-bump modes
 152  */
 153 enum BumpMode {bumpNone = 0, bumpClientFirst, bumpServerFirst, bumpEnd};
 154
 155 /**
 156  \ingroup  ServerProtocolSSLAPI
 157  * Short names for ssl-bump modes
 158  */
 159 extern const char *BumpModeStr[];
 160
 161 /**
 162  \ingroup ServerProtocolSSLAPI
 163  * Return the short name of the ssl-bump mode "bm"
 164  */
 165 inline const char *bumpMode(int bm)
 166 {
 167     return (0 <= bm && bm < Ssl::bumpEnd) ? Ssl::BumpModeStr[bm] : NULL;
 168 }
 169
 170 /**
 171  \ingroup ServerProtocolSSLAPI
 172  * Parses the SSL flags.
 173  */
 174 long parse_flags(const char *flags);
 175
 176 /**
 177  \ingroup ServerProtocolSSLAPI
 178  * Parses the SSL options.
 179  */
 180 long parse_options(const char *options);
 181
 182 /**
 183  \ingroup ServerProtocolSSLAPI
 184  * Load a CRLs list stored in a file
 185  */
 186 STACK_OF(X509_CRL) *loadCrl(const char *CRLFile, long &flags);
 187
 188 /**
 189  \ingroup ServerProtocolSSLAPI
 190  * Load DH params from file
 191  */
 192 DH *readDHParams(const char *dhfile);
 193
 194 /**
 195  \ingroup ServerProtocolSSLAPI
 196  * Compute the Ssl::ContextMethod (SSL_METHOD) from SSL version
 197  */
 198 ContextMethod contextMethod(int version);
 199
 200 /**
 201   \ingroup ServerProtocolSSLAPI
 202   * Generate a certificate to be used as untrusted signing certificate, based on a trusted CA
 203 */
 204 bool generateUntrustedCert(X509_Pointer & untrustedCert, EVP_PKEY_Pointer & untrustedPkey, X509_Pointer const & cert, EVP_PKEY_Pointer const & pkey);
 205
 206 /**
 207   \ingroup ServerProtocolSSLAPI
 208   * Decide on the kind of certificate and generate a CA- or self-signed one
 209 */
 210 SSL_CTX * generateSslContext(CertificateProperties const &properties, AnyP::PortCfg &port);
 211
 212 /**
 213   \ingroup ServerProtocolSSLAPI
 214   * Check if the certificate of the given context is still valid
 215   \param sslContext The context to check
 216   \param properties Check if the context certificate matches the given properties
 217   \return true if the contexts certificate is valid, false otherwise
 218  */
 219 bool verifySslCertificate(SSL_CTX * sslContext,  CertificateProperties const &properties);
 220
 221 /**
 222   \ingroup ServerProtocolSSLAPI
 223   * Read private key and certificate from memory and generate SSL context
 224   * using their.
 225  */
 226 SSL_CTX * generateSslContextUsingPkeyAndCertFromMemory(const char * data, AnyP::PortCfg &port);
 227
 228 /**
 229   \ingroup ServerProtocolSSLAPI
 230   * Adds the certificates in certList to the certificate chain of the SSL context
 231  */
 232 void addChainToSslContext(SSL_CTX *sslContext, STACK_OF(X509) *certList);
 233
 234 /**
 235  \ingroup ServerProtocolSSLAPI
 236  *  Read certificate, private key and any certificates which must be chained from files.
 237  * See also: Ssl::readCertAndPrivateKeyFromFiles function,  defined in gadgets.h
 238  * \param certFilename name of file with certificate and certificates which must be chainned.
 239  * \param keyFilename name of file with private key.
 240  */
 241 void readCertChainAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, X509_STACK_Pointer & chain, char const * certFilename, char const * keyFilename);
 242
 243 /**
 244    \ingroup ServerProtocolSSLAPI
 245    * Iterates over the X509 common and alternate names and to see if  matches with given data
 246    * using the check_func.
 247    \param peer_cert  The X509 cert to check
 248    \param check_data The data with which the X509 CNs compared
 249    \param check_func The function used to match X509 CNs. The CN data passed as ASN1_STRING data
 250    \return   1 if any of the certificate CN matches, 0 if none matches.
 251  */
 252 int matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data,  ASN1_STRING *cn_data));
 253
 254 /**
 255    \ingroup ServerProtocolSSLAPI
 256    * Check if the certificate is valid for a server
 257    \param cert  The X509 cert to check.
 258    \param server The server name.
 259    \return   true if the certificate is valid for the server or false otherwise.
 260  */
 261 bool checkX509ServerValidity(X509 *cert, const char *server);
 262
 263 /**
 264    \ingroup ServerProtocolSSLAPI
 265    * Convert a given ASN1_TIME to a string form.
 266    \param tm the time in ASN1_TIME form
 267    \param buf the buffer to write the output
 268    \param len write at most len bytes
 269    \return The number of bytes written
 270  */
 271 int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
 272
 273 /**
 274    \ingroup ServerProtocolSSLAPI
 275    * Sets the hostname for the Server Name Indication (SNI) TLS extension
 276    * if supported by the used openssl toolkit.
 277    \return true if SNI set false otherwise
 278 */
 279 bool setClientSNI(SSL *ssl, const char *fqdn);
 280
 281 /**
 282    \ingroup ServerProtocolSSLAPI
 283    * Initializes the shared session cache if configured
 284 */
 285 void initialize_session_cache();
 286
 287 /**
 288    \ingroup ServerProtocolSSLAPI
 289    * Destroy the shared session cache if configured
 290 */
 291 void destruct_session_cache();
 292 } //namespace Ssl
 293
 294 #if _SQUID_WINDOWS_
 295
 296 #if defined(__cplusplus)
 297
 298 /** \cond AUTODOCS-IGNORE */
 299 namespace Squid
 300 {
 301 /** \endcond */
 302
 303 /// \ingroup ServerProtocolSSLAPI
 304 inline
 305 int SSL_set_fd(SSL *ssl, int fd)
 306 {
 307     return ::SSL_set_fd(ssl, _get_osfhandle(fd));
 308 }
 309
 310 /// \ingroup ServerProtocolSSLAPI
 311 #define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
 312
 313 } /* namespace Squid */
 314
 315 #else
 316
 317 /// \ingroup ServerProtocolSSLAPI
 318 #define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
 319
 320 #endif /* __cplusplus */
 321
 322 #endif /* _SQUID_WINDOWS_ */
 323
 324 #endif /* SQUID_SSL_SUPPORT_H */