From: hno <> Date: Sun, 15 Apr 2001 00:23:41 +0000 (+0000) Subject: SSL->HTTP gatewaying support by Benno Rice X-Git-Tag: SQUID_3_0_PRE1~1543 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f484cdf5a978947ad50c69fd379ac5fc3027a43e;p=thirdparty%2Fsquid.git SSL->HTTP gatewaying support by Benno Rice Allows Squid in accelerator mode to listen for https requests as well as http requests. (ssl_support.[ch] was forgotten in the big commit) --- diff --git a/src/ssl_support.cc b/src/ssl_support.cc new file mode 100644 index 0000000000..0920ad6d55 --- /dev/null +++ b/src/ssl_support.cc @@ -0,0 +1,186 @@ + +/* + * $Id: ssl_support.cc,v 1.1 2001/04/14 18:23:41 hno Exp $ + * + * AUTHOR: Benno Rice + * DEBUG: section 81 SSL accelerator support + * + * SQUID Internet Object Cache http://squid.nlanr.net/Squid/ + * ---------------------------------------------------------- + * + * Squid is the result of efforts by numerous individuals from the + * Internet community. Development is led by Duane Wessels of the + * National Laboratory for Applied Network Research and funded by the + * National Science Foundation. Squid is Copyrighted (C) 1998 by + * Duane Wessels and the University of California San Diego. Please + * see the COPYRIGHT file for full details. Squid incorporates + * software developed and/or copyrighted by other sources. Please see + * the CREDITS file for full details. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + * + */ + +#include "squid.h" + +extern int commUnsetNonBlocking(int fd); +extern int commSetNonBlocking(int fd); + +void clientNegotiateSSL(int fd, void *data); +void clientReadSSLRequest(int fd, void *data); +void connFreeSSL(int fd, void *data); + +SSL_CTX *sslContext = NULL; +SSL **ssl_table = NULL; + +static RSA * +ssl_temp_rsa_cb(SSL * ssl, int export, int keylen) +{ + static RSA *rsa = NULL; + + if (rsa == NULL) + rsa = RSA_generate_key(512, RSA_F4, NULL, NULL); + return rsa; +} + +static int +ssl_verify_cb(int ok, X509_STORE_CTX * ctx) +{ + char buffer[256]; + + X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buffer, + sizeof(buffer)); + if (ok) + debug(81, 5) ("SSL Certificate OK: %s\n", buffer); + else { + switch (ctx->error) { + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: + debug(81, 5) ("SSL Certficate error: CA not known: %s\n", buffer); + break; + case X509_V_ERR_CERT_NOT_YET_VALID: + debug(81, 5) ("SSL Certficate not yet valid: %s\n", buffer); + break; + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: + debug(81, 5) ("SSL Certificate has illegal \'not before\' field: %s\n", buffer); + break; + case X509_V_ERR_CERT_HAS_EXPIRED: + debug(81, 5) ("SSL Certificate expired: %s\n", buffer); + break; + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: + debug(81, 5) ("SSL Certificate has invalid \'not after\' field: %s\n", buffer); + break; + default: + debug(81, 5) ("SSL unknown certificate error %d in %s\n", + ctx->error, buffer); + break; + } + } + return ok; +} + +void +sslInit(const char *certfile, const char *keyfile) +{ + int ssl_error; + SSL_METHOD *method; + SSL_load_error_strings(); + SSLeay_add_ssl_algorithms(); + + if (!keyfile) + keyfile = certfile; + if (!certfile) + certfile = keyfile; + + debug(81, 1) ("Initialising SSL.\n"); + switch (Config.SSL.version) { + case 2: + debug(81, 5) ("Using SSLv2.\n"); + method = SSLv2_server_method(); + break; + case 3: + debug(81, 5) ("Using SSLv3.\n"); + method = SSLv3_server_method(); + break; + case 4: + debug(81, 5) ("Using TLSv1.\n"); + method = TLSv1_server_method(); + break; + case 1: + default: + debug(81, 5) ("Using SSLv2/SSLv3.\n"); + method = SSLv23_server_method(); + break; + } + + sslContext = SSL_CTX_new(method); + if (sslContext == NULL) { + ssl_error = ERR_get_error(); + fatalf("Failed to allocate SSL context: %s\n", + ERR_error_string(ssl_error, NULL)); + } + SSL_CTX_set_options(sslContext, SSL_OP_ALL); + + debug(81, 1) ("Using certificate in %s\n", certfile); + if (!SSL_CTX_use_certificate_file(sslContext, certfile, SSL_FILETYPE_PEM)) { + ssl_error = ERR_get_error(); + fatalf("Failed to acquire SSL certificate: %s\n", + ERR_error_string(ssl_error, NULL)); + } + debug(81, 1) ("Using private key in %s\n", keyfile); + if (!SSL_CTX_use_PrivateKey_file(sslContext, keyfile, SSL_FILETYPE_PEM)) { + ssl_error = ERR_get_error(); + fatalf("Failed to acquire SSL private key: %s\n", + ERR_error_string(ssl_error, NULL)); + } + debug(81, 5) ("Comparing private and public SSL keys.\n"); + if (!SSL_CTX_check_private_key(sslContext)) + fatal("SSL private key does not match public key: %s\n"); + + debug(81, 9) ("Setting RSA key generation callback.\n"); + SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb); + + debug(81, 9) ("Setting certificate verification callback.\n"); + SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, ssl_verify_cb); + + debug(81, 9) ("Setting default CA certificate location.\n"); + if (!SSL_CTX_set_default_verify_paths(sslContext)) { + ssl_error = ERR_get_error(); + debug(81, 1) ("Error error setting default CA certificate location: %s\n", + ERR_error_string(ssl_error, NULL)); + debug(81, 1) ("continuing anyway...\n"); + } + debug(81, 9) ("Set client certifying authority list.\n"); + SSL_CTX_set_client_CA_list(sslContext, SSL_load_client_CA_file(certfile)); + + ssl_table = xcalloc(Squid_MaxFD, sizeof(SSL *)); +} + +int +ssl_read_method(fd, buf, len) + int fd; + char *buf; + int len; +{ + return (SSL_read(fd_table[fd].ssl, buf, len)); +} + +int +ssl_write_method(fd, buf, len) + int fd; + const char *buf; + int len; +{ + return (SSL_write(fd_table[fd].ssl, buf, len)); +} diff --git a/src/ssl_support.h b/src/ssl_support.h new file mode 100644 index 0000000000..dbebf373fa --- /dev/null +++ b/src/ssl_support.h @@ -0,0 +1,52 @@ + +/* + * $Id: ssl_support.h,v 1.1 2001/04/14 18:23:41 hno Exp $ + * + * AUTHOR: Benno Rice + * + * SQUID Internet Object Cache http://squid.nlanr.net/Squid/ + * ---------------------------------------------------------- + * + * Squid is the result of efforts by numerous individuals from the + * Internet community. Development is led by Duane Wessels of the + * National Laboratory for Applied Network Research and funded by the + * National Science Foundation. Squid is Copyrighted (C) 1998 by + * Duane Wessels and the University of California San Diego. Please + * see the COPYRIGHT file for full details. Squid incorporates + * software developed and/or copyrighted by other sources. Please see + * the CREDITS file for full details. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + * + */ + +#ifndef SSL_SUPPORT_H +#define SSL_SUPPORT_H + +#include "config.h" +#if HAVE_OPENSSL_SSL_H +#include +#endif +#if HAVE_OPENSSL_ERR_H +#include +#endif + +extern SSL_CTX *sslContext; + +void sslInit(const char *certfile, const char *keyfile); +int ssl_read_method(int, char *, int); +int ssl_write_method(int, const char *, int); + +#endif /* SSL_SUPPORT_H */