support.h
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 83 SSL accelerator support */
10 
11 #ifndef SQUID_SSL_SUPPORT_H
12 #define SQUID_SSL_SUPPORT_H
13 
14 #if USE_OPENSSL
15 
16 #include "base/CbDataList.h"
17 #include "comm/forward.h"
18 #include "sbuf/SBuf.h"
19 #include "security/forward.h"
20 #include "ssl/gadgets.h"
21 
22 #if HAVE_OPENSSL_X509V3_H
23 #include <openssl/x509v3.h>
24 #endif
25 #if HAVE_OPENSSL_ERR_H
26 #include <openssl/err.h>
27 #endif
28 #if HAVE_OPENSSL_ENGINE_H
29 #include <openssl/engine.h>
30 #endif
31 #include <queue>
32 #include <map>
33 
39 // Custom SSL errors; assumes all official errors are positive
40 #define SQUID_X509_V_ERR_INFINITE_VALIDATION -4
41 #define SQUID_X509_V_ERR_CERT_CHANGE -3
42 #define SQUID_ERR_SSL_HANDSHAKE -2
43 #define SQUID_X509_V_ERR_DOMAIN_MISMATCH -1
44 // All SSL errors range: from smallest (negative) custom to largest SSL error
45 #define SQUID_SSL_ERROR_MIN SQUID_X509_V_ERR_CERT_CHANGE
46 #define SQUID_SSL_ERROR_MAX INT_MAX
47 
48 // Maximum certificate validation callbacks. OpenSSL versions exceeding this
49 // limit are deemed stuck in an infinite validation loop (OpenSSL bug #3090)
50 // and will trigger the SQUID_X509_V_ERR_INFINITE_VALIDATION error.
51 // Can be set to a number up to UINT32_MAX
52 #ifndef SQUID_CERT_VALIDATION_ITERATION_MAX
53 #define SQUID_CERT_VALIDATION_ITERATION_MAX 16384
54 #endif
55 
56 namespace AnyP
57 {
58 class PortCfg;
59 };
60 
61 namespace Ipc
62 {
63 class MemMap;
64 }
65 
66 namespace Ssl
67 {
70 void Initialize();
71 
72 class ErrorDetail;
75 
78 
81 
84 
87 
88 } //namespace Ssl
89 
91 const char *sslGetUserEmail(SSL *ssl);
92 
94 const char *sslGetUserAttribute(SSL *ssl, const char *attribute_name);
95 
97 const char *sslGetCAAttribute(SSL *ssl, const char *attribute_name);
98 
100 const char *sslGetUserCertificatePEM(SSL *ssl);
101 
103 const char *sslGetUserCertificateChainPEM(SSL *ssl);
104 
105 namespace Ssl
106 {
108 typedef char const *GETX509ATTRIBUTE(X509 *, const char *);
109 
112 
115 
118 
119 extern const EVP_MD *DefaultSignHash;
120 
126 
128 
133 extern std::vector<const char *>BumpModeStr;
134 
139 inline const char *bumpMode(int bm)
140 {
141  return (0 <= bm && bm < Ssl::bumpEnd) ? Ssl::BumpModeStr.at(bm) : NULL;
142 }
143 
145 typedef std::multimap<SBuf, X509 *> CertsIndexedList;
146 
150 bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list);
151 
156 bool loadSquidUntrusted(const char *path);
157 
162 void unloadSquidUntrusted();
163 
170 void SSL_add_untrusted_cert(SSL *ssl, X509 *cert);
171 
176 const char *uriOfIssuerIfMissing(X509 *cert, Security::CertList const &serverCertificates, const Security::ContextPointer &context);
177 
182 void missingChainCertificatesUrls(std::queue<SBuf> &URIs, Security::CertList const &serverCertificates, const Security::ContextPointer &context);
183 
188 bool generateUntrustedCert(Security::CertPointer & untrustedCert, Security::PrivateKeyPointer & untrustedPkey, Security::CertPointer const & cert, Security::PrivateKeyPointer const & pkey);
189 
191 typedef std::multimap<SBuf, X509 *> CertsIndexedList;
192 
197 bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list);
198 
204 bool loadSquidUntrusted(const char *path);
205 
211 void unloadSquidUntrusted();
212 
218 
227 
234 
239 Security::ContextPointer createSSLContext(Security::CertPointer & x509, Security::PrivateKeyPointer & pkey, Security::ServerOptions &);
240 
246 
252 
258 bool configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port);
259 
265 bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port);
266 
272 
278 void useSquidUntrusted(SSL_CTX *sslContext);
279 
287 void readCertChainAndPrivateKeyFromFiles(Security::CertPointer & cert, Security::PrivateKeyPointer & pkey, Security::CertList &chain, char const * certFilename, char const * keyFilename);
288 
298 int matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data, ASN1_STRING *cn_data));
299 
307 bool checkX509ServerValidity(X509 *cert, const char *server);
308 
317 int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
318 
325 bool setClientSNI(SSL *ssl, const char *fqdn);
326 
331 void InRamCertificateDbKey(const Ssl::CertificateProperties &certProperties, SBuf &key);
332 
338 BIO *BIO_new_SBuf(SBuf *buf);
339 } //namespace Ssl
340 
341 #if _SQUID_WINDOWS_
342 
343 #if defined(__cplusplus)
344 
346 namespace Squid
347 {
350 inline
352 int SSL_set_fd(SSL *ssl, int fd)
353 {
354  return ::SSL_set_fd(ssl, _get_osfhandle(fd));
355 }
356 
358 #define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
359 
360 } /* namespace Squid */
361 
362 #else
363 
365 #define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
366 
367 #endif /* __cplusplus */
368 
369 #endif /* _SQUID_WINDOWS_ */
370 
371 #endif /* USE_OPENSSL */
372 #endif /* SQUID_SSL_SUPPORT_H */
373 
std::multimap< SBuf, X509 * > CertsIndexedList
certificates indexed by issuer name
Definition: support.h:145
GETX509ATTRIBUTE GetX509UserAttribute
Definition: support.h:111
std::vector< const char * > BumpModeStr
Definition: support.cc:45
bool verifySslCertificate(Security::ContextPointer &, CertificateProperties const &)
Definition: support.cc:902
bool setClientSNI(SSL *ssl, const char *fqdn)
Definition: support.cc:927
Definition: SBuf.h:87
void configureUnconfiguredSslContext(Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &)
Definition: support.cc:852
char const * GETX509ATTRIBUTE(X509 *, const char *)
Definition: support.h:108
void addChainToSslContext(Security::ContextPointer &, Security::CertList &)
Definition: support.cc:946
const char * bumpMode(int bm)
Definition: support.h:139
bool loadSquidUntrusted(const char *path)
Definition: support.cc:1222
bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list)
Definition: support.cc:997
BumpStep
Definition: support.h:127
void readCertChainAndPrivateKeyFromFiles(Security::CertPointer &cert, Security::PrivateKeyPointer &pkey, Security::CertList &chain, char const *certFilename, char const *keyFilename)
Definition: support.cc:1269
const char * sslGetUserAttribute(SSL *ssl, const char *attribute_name)
Definition: support.cc:681
CtoCpp1(X509_free, X509 *) typedef Security CtoCpp1(X509_CRL_free, X509_CRL *) typedef Security typedef std::list< Security::CertPointer CertList)
Definition: forward.h:96
TLS squid.conf settings for a remote server peer.
Definition: PeerOptions.h:22
Security::ContextPointer GenerateSslContextUsingPkeyAndCertFromMemory(const char *data, Security::ServerOptions &, bool trusted)
Definition: support.cc:808
void chainCertificatesToSSLContext(Security::ContextPointer &, Security::ServerOptions &)
Definition: support.cc:836
const char * sslGetCAAttribute(SSL *ssl, const char *attribute_name)
Definition: support.cc:694
Security::ContextPointer GenerateSslContext(CertificateProperties const &, Security::ServerOptions &, bool trusted)
Definition: support.cc:822
void useSquidUntrusted(SSL_CTX *sslContext)
Definition: support.cc:1216
RefCount< CertValidationResponse > CertValidationResponsePointer
Definition: support.h:73
bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &)
initialize a TLS server context with OpenSSL specific settings
Definition: support.cc:510
void const char HLPCB void * data
Definition: stub_helper.cc:16
bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port)
Definition: support.cc:882
const char * sslGetUserCertificateChainPEM(SSL *ssl)
Definition: support.cc:752
void missingChainCertificatesUrls(std::queue< SBuf > &URIs, Security::CertList const &serverCertificates, const Security::ContextPointer &context)
Definition: support.cc:1100
CertSignAlgorithm
Definition: gadgets.h:150
GETX509ATTRIBUTE GetX509CAAttribute
Definition: support.h:114
bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, long flags)
initialize a TLS client context with OpenSSL specific settings
Definition: support.cc:540
std::shared_ptr< SSL_CTX > ContextPointer
Definition: Context.h:28
Security::ContextPointer createSSLContext(Security::CertPointer &x509, Security::PrivateKeyPointer &pkey, Security::ServerOptions &)
Create SSL context and apply ssl certificate and private key to it.
Definition: support.cc:791
void MaybeSetupRsaCallback(Security::ContextPointer &)
if required, setup callback for generating ephemeral RSA keys
Definition: support.cc:150
void SSL_add_untrusted_cert(SSL *ssl, X509 *cert)
Definition: support.cc:1112
static int port
Definition: ldap_backend.cc:69
int unsigned int const char *desc STUB void int len
Definition: stub_fd.cc:20
void const char * buf
Definition: stub_helper.cc:16
const char * uriOfIssuerIfMissing(X509 *cert, Security::CertList const &serverCertificates, const Security::ContextPointer &context)
Definition: support.cc:1079
void Initialize()
Definition: support.cc:466
bool configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port)
Definition: support.cc:859
bool checkX509ServerValidity(X509 *cert, const char *server)
Definition: support.cc:231
void InRamCertificateDbKey(const Ssl::CertificateProperties &certProperties, SBuf &key)
Definition: support.cc:1320
static char server[MAXLINE]
bool generateUntrustedCert(Security::CertPointer &untrustedCert, Security::PrivateKeyPointer &untrustedPkey, Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey)
Definition: support.cc:1297
int asn1timeToString(ASN1_TIME *tm, char *buf, int len)
Definition: support.cc:158
void const cache_key * key
TLS squid.conf settings for a listening port.
Definition: ServerOptions.h:19
const char * sslGetUserCertificatePEM(SSL *ssl)
Definition: support.cc:714
int matchX509CommonNames(X509 *peer_cert, void *check_data, int(*check_func)(void *check_data, ASN1_STRING *cn_data))
Definition: support.cc:172
BumpMode
Definition: support.h:125
const EVP_MD * DefaultSignHash
Definition: support.cc:43
GETX509ATTRIBUTE GetX509Fingerprint
Definition: support.h:117
void SetupVerifyCallback(Security::ContextPointer &)
set the certificate verify callback for a context
Definition: support.cc:380
void unloadSquidUntrusted()
Definition: support.cc:1228
const char * sslGetUserEmail(SSL *ssl)
Definition: support.cc:708
BIO * BIO_new_SBuf(SBuf *buf)
Definition: support.cc:1396
#define NULL
Definition: types.h:166

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors