squid : Optimising Web Delivery

Go to the documentation of this file.

 /*
  * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
  *
  * Squid software is distributed under GPLv2+ license and includes
  * contributions from numerous individuals and organizations.
  * Please see the COPYING and CONTRIBUTORS files for details.
  */
  
 #ifndef SQUID_SRC_SSL_GADGETS_H
 #define SQUID_SRC_SSL_GADGETS_H
  
 #if USE_OPENSSL
  
 #include "anyp/forward.h"
 #include "base/HardFun.h"
 #include "compat/openssl.h"
 #include "sbuf/forward.h"
 #include "security/forward.h"
 #include "ssl/crtd_message.h"
  
 #include <optional>
 #include <string>
  
 #if HAVE_OPENSSL_ASN1_H
 #include <openssl/asn1.h>
 #endif
 #if HAVE_OPENSSL_PEM_H
 #include <openssl/pem.h>
 #endif
 #if HAVE_OPENSSL_TXT_DB_H
 #include <openssl/txt_db.h>
 #endif
 #if HAVE_OPENSSL_X509V3_H
 #include <openssl/x509v3.h>
 #endif
  
 namespace Ssl
 {
 #if !defined(SQUID_SSL_SIGN_HASH_IF_NONE)
 #define SQUID_SSL_SIGN_HASH_IF_NONE "sha256"
 #endif
  
 sk_dtor_wrapper(sk_X509, STACK_OF(X509) *, X509_free);
 typedef std::unique_ptr<STACK_OF(X509), sk_X509_free_wrapper> X509_STACK_Pointer;
  
 typedef std::unique_ptr<BIGNUM, HardFun<void, BIGNUM*, &BN_free>> BIGNUM_Pointer;
  
 typedef std::unique_ptr<BIO, HardFun<void, BIO*, &BIO_vfree>> BIO_Pointer;
  
 typedef std::unique_ptr<ASN1_INTEGER, HardFun<void, ASN1_INTEGER*, &ASN1_INTEGER_free>> ASN1_INT_Pointer;
  
 typedef std::unique_ptr<ASN1_OCTET_STRING, HardFun<void, ASN1_OCTET_STRING*, &ASN1_OCTET_STRING_free>> ASN1_OCTET_STRING_Pointer;
  
 typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>> TXT_DB_Pointer;
  
 typedef std::unique_ptr<X509_NAME, HardFun<void, X509_NAME*, &X509_NAME_free>> X509_NAME_Pointer;
  
 using EVP_PKEY_CTX_Pointer = std::unique_ptr<EVP_PKEY_CTX, HardFun<void, EVP_PKEY_CTX*, &EVP_PKEY_CTX_free>>;
  
 typedef std::unique_ptr<X509_REQ, HardFun<void, X509_REQ*, &X509_REQ_free>> X509_REQ_Pointer;
  
 typedef std::unique_ptr<AUTHORITY_KEYID, HardFun<void, AUTHORITY_KEYID*, &AUTHORITY_KEYID_free>> AUTHORITY_KEYID_Pointer;
  
 sk_dtor_wrapper(sk_GENERAL_NAME, STACK_OF(GENERAL_NAME) *, GENERAL_NAME_free);
 typedef std::unique_ptr<STACK_OF(GENERAL_NAME), sk_GENERAL_NAME_free_wrapper> GENERAL_NAME_STACK_Pointer;
  
 typedef std::unique_ptr<GENERAL_NAME, HardFun<void, GENERAL_NAME*, &GENERAL_NAME_free>> GENERAL_NAME_Pointer;
  
 typedef std::unique_ptr<X509_EXTENSION, HardFun<void, X509_EXTENSION*, &X509_EXTENSION_free>> X509_EXTENSION_Pointer;
  
 typedef std::unique_ptr<X509_STORE_CTX, HardFun<void, X509_STORE_CTX *, &X509_STORE_CTX_free>> X509_STORE_CTX_Pointer;
  
 // not using CtoCpp1() here because OpenSSL_free() takes void* rather than char*
 inline void OPENSSL_free_for_c_strings(char * const string) { OPENSSL_free(string); }
 using UniqueCString = std::unique_ptr<char, HardFun<void, char *, &OPENSSL_free_for_c_strings> >;
  
 void ForgetErrors();
  
 std::ostream &ReportAndForgetErrors(std::ostream &);
  
 bool writeCertAndPrivateKeyToMemory(Security::CertPointer const & cert, Security::PrivateKeyPointer const & pkey, std::string & bufferToWrite);
  
 bool appendCertToMemory(Security::CertPointer const & cert, std::string & bufferToWrite);
  
 bool readCertAndPrivateKeyFromMemory(Security::CertPointer & cert, Security::PrivateKeyPointer & pkey, char const * bufferToRead);
  
 BIO_Pointer ReadOnlyBioTiedTo(const char *);
  
 void ReadPrivateKeyFromFile(char const * keyFilename, Security::PrivateKeyPointer &pkey, pem_password_cb *passwd_callback);
  
 bool OpenCertsFileForReading(BIO_Pointer &bio, const char *filename);
  
 Security::CertPointer ReadCertificate(const BIO_Pointer &);
  
 Security::CertPointer ReadOptionalCertificate(const BIO_Pointer &);
  
 bool ReadPrivateKey(BIO_Pointer &bio, Security::PrivateKeyPointer &pkey, pem_password_cb *passwd_callback);
  
 bool OpenCertsFileForWriting(BIO_Pointer &bio, const char *filename);
  
 bool WriteX509Certificate(BIO_Pointer &bio, const Security::CertPointer & cert);
  
 bool WritePrivateKey(BIO_Pointer &bio, const Security::PrivateKeyPointer &pkey);
  
 UniqueCString OneLineSummary(X509_NAME &);
  
 enum CertSignAlgorithm {algSignTrusted = 0, algSignUntrusted, algSignSelf, algSignEnd};
  
 extern const char *CertSignAlgorithmStr[];
  
 inline const char *certSignAlgorithm(int sg)
 {
     if (sg >=0 && sg < Ssl::algSignEnd)
         return Ssl::CertSignAlgorithmStr[sg];
  
     return nullptr;
 }
  
 inline CertSignAlgorithm certSignAlgorithmId(const char *sg)
 {
     for (int i = 0; i < algSignEnd && Ssl::CertSignAlgorithmStr[i] != nullptr; i++)
         if (strcmp(Ssl::CertSignAlgorithmStr[i], sg) == 0)
             return (CertSignAlgorithm)i;
  
     return algSignEnd;
 }
  
 enum CertAdaptAlgorithm {algSetValidAfter = 0, algSetValidBefore, algSetCommonName, algSetEnd};
  
 extern const char *CertAdaptAlgorithmStr[];
  
 inline const char *sslCertAdaptAlgoritm(int alg)
 {
     if (alg >=0 && alg < Ssl::algSetEnd)
         return Ssl::CertAdaptAlgorithmStr[alg];
  
     return nullptr;
 }
  
 class CertificateProperties
 {
 public:
     CertificateProperties();
     Security::CertPointer mimicCert; 
     Security::CertPointer signWithX509; 
     Security::PrivateKeyPointer signWithPkey; 
     bool setValidAfter; 
     bool setValidBefore; 
     bool setCommonName; 
     std::string commonName; 
     CertSignAlgorithm signAlgorithm; 
     const EVP_MD *signHash; 
 private:
     CertificateProperties(CertificateProperties &);
     CertificateProperties &operator =(CertificateProperties const &);
 };
  
 std::string & OnDiskCertificateDbKey(const CertificateProperties &);
  
 bool generateSslCertificate(Security::CertPointer & cert, Security::PrivateKeyPointer & pkey, CertificateProperties const &properties);
  
 bool sslDateIsInTheFuture(char const * date);
  
 bool certificateMatchesProperties(X509 *peer_cert, CertificateProperties const &properties);
  
 const char *CommonHostName(X509 *x509);
  
 SBuf AsnToSBuf(const ASN1_STRING &);
  
 std::optional<AnyP::Host> ParseCommonNameAt(X509_NAME &, int);
  
 std::optional<AnyP::Host> ParseAsSimpleDomainNameOrIp(const SBuf &);
  
 const char *getOrganization(X509 *x509);
  
 bool CertificatesCmp(const Security::CertPointer &cert1, const Security::CertPointer &cert2);
  
 const ASN1_BIT_STRING *X509_get_signature(const Security::CertPointer &);
  
 } // namespace Ssl
  
 #endif // USE_OPENSSL
 #endif /* SQUID_SRC_SSL_GADGETS_H */
  

Ssl::appendCertToMemory

bool appendCertToMemory(Security::CertPointer const &cert, std::string &bufferToWrite)

Definition: gadgets.cc:123

Ssl::CertificateProperties

Definition: gadgets.h:231

Ssl::ParseCommonNameAt

std::optional< AnyP::Host > ParseCommonNameAt(X509_NAME &, int)

interprets X.509 Subject or Issuer name entry (at the given position) as CN

Definition: gadgets.cc:504

Ssl::ASN1_INT_Pointer

std::unique_ptr< ASN1_INTEGER, HardFun< void, ASN1_INTEGER *, &ASN1_INTEGER_free > > ASN1_INT_Pointer

Definition: gadgets.h:59

Ssl::ReadCertificate

Security::CertPointer ReadCertificate(const BIO_Pointer &)

Definition: gadgets.cc:816

Ssl::CertSignAlgorithm

CertSignAlgorithm

Definition: gadgets.h:169

Ssl::CertificateProperties::CertificateProperties

CertificateProperties()

Definition: gadgets.cc:246

Ssl::CertificateProperties::mimicCert

Security::CertPointer mimicCert

Certificate to mimic.

Definition: gadgets.h:235

Ssl::CommonHostName

const char * CommonHostName(X509 *x509)

Definition: gadgets.cc:1027

Ssl::CertificateProperties::signWithX509

Security::CertPointer signWithX509

Certificate to sign the generated request.

Definition: gadgets.h:236

Ssl::CertificateProperties::signHash

const EVP_MD * signHash

The signing hash to use.

Definition: gadgets.h:243

Ssl::AUTHORITY_KEYID_Pointer

std::unique_ptr< AUTHORITY_KEYID, HardFun< void, AUTHORITY_KEYID *, &AUTHORITY_KEYID_free > > AUTHORITY_KEYID_Pointer

Definition: gadgets.h:71

Ssl::AsnToSBuf

SBuf AsnToSBuf(const ASN1_STRING &)

converts ASN1_STRING to SBuf

Definition: gadgets.cc:473

Ssl::GENERAL_NAME_STACK_Pointer

std::unique_ptr< STACK_OF(GENERAL_NAME), sk_GENERAL_NAME_free_wrapper > GENERAL_NAME_STACK_Pointer

Definition: gadgets.h:74

Ssl::BIO_Pointer

std::unique_ptr< BIO, HardFun< void, BIO *, &BIO_vfree > > BIO_Pointer

Definition: gadgets.h:57

Ssl::X509_NAME_Pointer

std::unique_ptr< X509_NAME, HardFun< void, X509_NAME *, &X509_NAME_free > > X509_NAME_Pointer

Definition: gadgets.h:65

Ssl::sslCertAdaptAlgoritm

const char * sslCertAdaptAlgoritm(int alg)

Definition: gadgets.h:219

Ssl::ASN1_OCTET_STRING_Pointer

std::unique_ptr< ASN1_OCTET_STRING, HardFun< void, ASN1_OCTET_STRING *, &ASN1_OCTET_STRING_free > > ASN1_OCTET_STRING_Pointer

Definition: gadgets.h:61

SBuf

Definition: SBuf.h:93

Ssl::X509_STACK_Pointer

std::unique_ptr< STACK_OF(X509), sk_X509_free_wrapper > X509_STACK_Pointer

Definition: gadgets.h:53

Ssl::certSignAlgorithm

const char * certSignAlgorithm(int sg)

Definition: gadgets.h:182

Ssl::ReadPrivateKey

bool ReadPrivateKey(BIO_Pointer &bio, Security::PrivateKeyPointer &pkey, pem_password_cb *passwd_callback)

Definition: gadgets.cc:826

Ssl::ReadOnlyBioTiedTo

BIO_Pointer ReadOnlyBioTiedTo(const char *)

Definition: gadgets.cc:172

Ssl::certificateMatchesProperties

bool certificateMatchesProperties(X509 *peer_cert, CertificateProperties const &properties)

Definition: gadgets.cc:936

Ssl::CertificatesCmp

bool CertificatesCmp(const Security::CertPointer &cert1, const Security::CertPointer &cert2)

Definition: gadgets.cc:1038

Ssl::WriteX509Certificate

bool WriteX509Certificate(BIO_Pointer &bio, const Security::CertPointer &cert)

Definition: gadgets.cc:859

Ssl::X509_get_signature

const ASN1_BIT_STRING * X509_get_signature(const Security::CertPointer &)

Definition: gadgets.cc:1063

HardFun.h

Ssl::CertAdaptAlgorithmStr

const char * CertAdaptAlgorithmStr[]

Definition: gadgets.cc:239

Ssl::GENERAL_NAME_Pointer

std::unique_ptr< GENERAL_NAME, HardFun< void, GENERAL_NAME *, &GENERAL_NAME_free > > GENERAL_NAME_Pointer

Definition: gadgets.h:76

Ssl::ReportAndForgetErrors

std::ostream & ReportAndForgetErrors(std::ostream &)

Definition: gadgets.cc:36

Ssl::ReadOptionalCertificate

Security::CertPointer ReadOptionalCertificate(const BIO_Pointer &)

Definition: gadgets.cc:791

Ssl::OpenCertsFileForReading

bool OpenCertsFileForReading(BIO_Pointer &bio, const char *filename)

Definition: gadgets.cc:780

Ssl::CertAdaptAlgorithm

CertAdaptAlgorithm

Definition: gadgets.h:207

Ssl::algSignTrusted

@ algSignTrusted

Definition: gadgets.h:169

forward.h

Ssl::OPENSSL_free_for_c_strings

void OPENSSL_free_for_c_strings(char *const string)

Definition: gadgets.h:83

forward.h

Ssl::X509_EXTENSION_Pointer

std::unique_ptr< X509_EXTENSION, HardFun< void, X509_EXTENSION *, &X509_EXTENSION_free > > X509_EXTENSION_Pointer

Definition: gadgets.h:78

Ssl::algSignEnd

@ algSignEnd

Definition: gadgets.h:169

Ssl::generateSslCertificate

bool generateSslCertificate(Security::CertPointer &cert, Security::PrivateKeyPointer &pkey, CertificateProperties const &properties)

Definition: gadgets.cc:769

Ssl

Definition: Xaction.cc:39

Ssl::CertificateProperties::operator=

CertificateProperties & operator=(CertificateProperties const &)

Ssl::getOrganization

const char * getOrganization(X509 *x509)

Definition: gadgets.cc:1032

Ssl::CertSignAlgorithmStr

const char * CertSignAlgorithmStr[]

Definition: gadgets.cc:232

Ssl::algSetValidAfter

@ algSetValidAfter

Definition: gadgets.h:207

Ssl::UniqueCString

std::unique_ptr< char, HardFun< void, char *, &OPENSSL_free_for_c_strings > > UniqueCString

Definition: gadgets.h:84

Ssl::CertificateProperties::setValidBefore

bool setValidBefore

Do not mimic "Not Valid Before" field.

Definition: gadgets.h:239

forward.h

Ssl::TXT_DB_Pointer

std::unique_ptr< TXT_DB, HardFun< void, TXT_DB *, &TXT_DB_free > > TXT_DB_Pointer

Definition: gadgets.h:63

Ssl::algSetCommonName

@ algSetCommonName

Definition: gadgets.h:207

Ssl::algSignSelf

@ algSignSelf

Definition: gadgets.h:169

Ssl::CertificateProperties::signWithPkey

Security::PrivateKeyPointer signWithPkey

The key of the signing certificate.

Definition: gadgets.h:237

crtd_message.h

openssl.h

Ssl::OneLineSummary

UniqueCString OneLineSummary(X509_NAME &)

a RAII wrapper for the memory-allocating flavor of X509_NAME_oneline()

Definition: gadgets.cc:879

Ssl::ReadPrivateKeyFromFile

void ReadPrivateKeyFromFile(char const *keyFilename, Security::PrivateKeyPointer &pkey, pem_password_cb *passwd_callback)

Definition: gadgets.cc:837

Ssl::algSignUntrusted

@ algSignUntrusted

Definition: gadgets.h:169

Ssl::sslDateIsInTheFuture

bool sslDateIsInTheFuture(char const *date)

Definition: gadgets.cc:884

Ssl::ParseAsSimpleDomainNameOrIp

std::optional< AnyP::Host > ParseAsSimpleDomainNameOrIp(const SBuf &)

Definition: gadgets.cc:496

Ssl::algSetValidBefore

@ algSetValidBefore

Definition: gadgets.h:207

Ssl::X509_REQ_Pointer

std::unique_ptr< X509_REQ, HardFun< void, X509_REQ *, &X509_REQ_free > > X509_REQ_Pointer

Definition: gadgets.h:69

Ssl::CertificateProperties::commonName

std::string commonName

A CN to use for the generated certificate.

Definition: gadgets.h:241

Ssl::sk_dtor_wrapper

sk_dtor_wrapper(sk_X509, STACK_OF(X509) *, X509_free)

Ssl::OpenCertsFileForWriting

bool OpenCertsFileForWriting(BIO_Pointer &bio, const char *filename)

Definition: gadgets.cc:848

Ssl::X509_STORE_CTX_Pointer

std::unique_ptr< X509_STORE_CTX, HardFun< void, X509_STORE_CTX *, &X509_STORE_CTX_free > > X509_STORE_CTX_Pointer

Definition: gadgets.h:80

Ssl::ForgetErrors

void ForgetErrors()

Clear any errors accumulated by OpenSSL in its global storage.

Definition: gadgets.cc:19

Ssl::WritePrivateKey

bool WritePrivateKey(BIO_Pointer &bio, const Security::PrivateKeyPointer &pkey)

Definition: gadgets.cc:869

Ssl::algSetEnd

@ algSetEnd

Definition: gadgets.h:207

Ssl::CertificateProperties::signAlgorithm

CertSignAlgorithm signAlgorithm

The signing algorithm to use.

Definition: gadgets.h:242

Ssl::certSignAlgorithmId

CertSignAlgorithm certSignAlgorithmId(const char *sg)

Definition: gadgets.h:194

Ssl::EVP_PKEY_CTX_Pointer

std::unique_ptr< EVP_PKEY_CTX, HardFun< void, EVP_PKEY_CTX *, &EVP_PKEY_CTX_free > > EVP_PKEY_CTX_Pointer

Definition: gadgets.h:67

Ssl::CertificateProperties::setValidAfter

bool setValidAfter

Do not mimic "Not Valid After" field.

Definition: gadgets.h:238

Ssl::BIGNUM_Pointer

std::unique_ptr< BIGNUM, HardFun< void, BIGNUM *, &BN_free > > BIGNUM_Pointer

Definition: gadgets.h:55

Ssl::writeCertAndPrivateKeyToMemory

bool writeCertAndPrivateKeyToMemory(Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey, std::string &bufferToWrite)

Definition: gadgets.cc:99

Ssl::OnDiskCertificateDbKey

std::string & OnDiskCertificateDbKey(const CertificateProperties &)

Definition: gadgets.cc:269

STACK_OF

STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)

Definition: openssl.h:237

Ssl::CertificateProperties::setCommonName

bool setCommonName

Replace the CN field of the mimicking subject with the given.

Definition: gadgets.h:240

Security::LockingPointer< X509, X509_free_cpp, HardFun< int, X509 *, X509_up_ref > >

Ssl::readCertAndPrivateKeyFromMemory

bool readCertAndPrivateKeyFromMemory(Security::CertPointer &cert, Security::PrivateKeyPointer &pkey, char const *bufferToRead)

squid-cache.org

Optimising Web Delivery

Introduction

Documentation

Support

Miscellaneous