support.h
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2019 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 83 SSL accelerator support */
10 
11 #ifndef SQUID_SSL_SUPPORT_H
12 #define SQUID_SSL_SUPPORT_H
13 
14 #if USE_OPENSSL
15 
16 #include "base/CbDataList.h"
17 #include "comm/forward.h"
18 #include "compat/openssl.h"
19 #include "sbuf/SBuf.h"
20 #include "security/forward.h"
21 #include "ssl/gadgets.h"
22 
23 #if HAVE_OPENSSL_X509V3_H
24 #include <openssl/x509v3.h>
25 #endif
26 #if HAVE_OPENSSL_ERR_H
27 #include <openssl/err.h>
28 #endif
29 #if HAVE_OPENSSL_ENGINE_H
30 #include <openssl/engine.h>
31 #endif
32 #include <queue>
33 #include <map>
34 
40 // Custom SSL errors; assumes all official errors are positive
41 #define SQUID_X509_V_ERR_INFINITE_VALIDATION -4
42 #define SQUID_X509_V_ERR_CERT_CHANGE -3
43 #define SQUID_ERR_SSL_HANDSHAKE -2
44 #define SQUID_X509_V_ERR_DOMAIN_MISMATCH -1
45 // All SSL errors range: from smallest (negative) custom to largest SSL error
46 #define SQUID_SSL_ERROR_MIN SQUID_X509_V_ERR_CERT_CHANGE
47 #define SQUID_SSL_ERROR_MAX INT_MAX
48 
49 // Maximum certificate validation callbacks. OpenSSL versions exceeding this
50 // limit are deemed stuck in an infinite validation loop (OpenSSL bug #3090)
51 // and will trigger the SQUID_X509_V_ERR_INFINITE_VALIDATION error.
52 // Can be set to a number up to UINT32_MAX
53 #ifndef SQUID_CERT_VALIDATION_ITERATION_MAX
54 #define SQUID_CERT_VALIDATION_ITERATION_MAX 16384
55 #endif
56 
57 namespace AnyP
58 {
59 class PortCfg;
60 };
61 
62 namespace Ipc
63 {
64 class MemMap;
65 }
66 
67 namespace Ssl
68 {
69 
72 int AskPasswordCb(char *buf, int size, int rwflag, void *userdata);
73 
76 void Initialize();
77 
78 class ErrorDetail;
81 
84 
87 
90 
93 
94 } //namespace Ssl
95 
97 const char *sslGetUserEmail(SSL *ssl);
98 
100 const char *sslGetUserAttribute(SSL *ssl, const char *attribute_name);
101 
103 const char *sslGetCAAttribute(SSL *ssl, const char *attribute_name);
104 
107 
110 
111 namespace Ssl
112 {
114 typedef char const *GETX509ATTRIBUTE(X509 *, const char *);
115 typedef SBuf GETX509PEM(X509 *);
116 
119 
122 
125 
128 
129 extern const EVP_MD *DefaultSignHash;
130 
136 
137 enum BumpStep {bumpStep1, bumpStep2, bumpStep3};
138 
143 extern std::vector<const char *>BumpModeStr;
144 
149 inline const char *bumpMode(int bm)
150 {
151  return (0 <= bm && bm < Ssl::bumpEnd) ? Ssl::BumpModeStr.at(bm) : NULL;
152 }
153 
155 typedef std::multimap<SBuf, X509 *> CertsIndexedList;
156 
160 bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list);
161 
166 bool loadSquidUntrusted(const char *path);
167 
172 void unloadSquidUntrusted();
173 
180 void SSL_add_untrusted_cert(SSL *ssl, X509 *cert);
181 
186 const char *uriOfIssuerIfMissing(X509 *cert, Security::CertList const &serverCertificates, const Security::ContextPointer &context);
187 
192 void missingChainCertificatesUrls(std::queue<SBuf> &URIs, Security::CertList const &serverCertificates, const Security::ContextPointer &context);
193 
198 bool generateUntrustedCert(Security::CertPointer & untrustedCert, Security::PrivateKeyPointer & untrustedPkey, Security::CertPointer const & cert, Security::PrivateKeyPointer const & pkey);
199 
201 typedef std::multimap<SBuf, X509 *> CertsIndexedList;
202 
207 bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list);
208 
214 bool loadSquidUntrusted(const char *path);
215 
221 void unloadSquidUntrusted();
222 
228 
237 
244 
249 Security::ContextPointer createSSLContext(Security::CertPointer & x509, Security::PrivateKeyPointer & pkey, Security::ServerOptions &);
250 
256 
262 
268 bool configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port);
269 
275 bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port);
276 
282 void useSquidUntrusted(SSL_CTX *sslContext);
283 
293 int matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data, ASN1_STRING *cn_data));
294 
302 bool checkX509ServerValidity(X509 *cert, const char *server);
303 
312 int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
313 
319 void setClientSNI(SSL *ssl, const char *fqdn);
320 
325 void InRamCertificateDbKey(const Ssl::CertificateProperties &certProperties, SBuf &key);
326 
332 BIO *BIO_new_SBuf(SBuf *buf);
333 } //namespace Ssl
334 
335 #if _SQUID_WINDOWS_
336 
337 #if defined(__cplusplus)
338 
340 namespace Squid
341 {
344 inline
346 int SSL_set_fd(SSL *ssl, int fd)
347 {
348  return ::SSL_set_fd(ssl, _get_osfhandle(fd));
349 }
350 
352 #define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
353 
354 } /* namespace Squid */
355 
356 #else
357 
359 #define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
360 
361 #endif /* __cplusplus */
362 
363 #endif /* _SQUID_WINDOWS_ */
364 
365 #endif /* USE_OPENSSL */
366 #endif /* SQUID_SSL_SUPPORT_H */
367 
std::multimap< SBuf, X509 * > CertsIndexedList
certificates indexed by issuer name
Definition: support.h:155
GETX509ATTRIBUTE GetX509UserAttribute
Definition: support.h:118
std::vector< const char * > BumpModeStr
Definition: support.cc:45
bool verifySslCertificate(Security::ContextPointer &, CertificateProperties const &)
Definition: support.cc:872
Definition: SBuf.h:86
void configureUnconfiguredSslContext(Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &)
Definition: support.cc:822
int AskPasswordCb(char *buf, int size, int rwflag, void *userdata)
Definition: support.cc:63
char const * GETX509ATTRIBUTE(X509 *, const char *)
Definition: support.h:114
std::list< Security::CertPointer > CertList
Definition: forward.h:80
Definition: IpcIoFile.h:23
const char * bumpMode(int bm)
Definition: support.h:149
bool loadSquidUntrusted(const char *path)
Definition: support.cc:1160
bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list)
Definition: support.cc:947
BumpStep
Definition: support.h:137
const char * sslGetUserAttribute(SSL *ssl, const char *attribute_name)
Definition: support.cc:685
TLS squid.conf settings for a remote server peer.
Definition: PeerOptions.h:22
Security::ContextPointer GenerateSslContextUsingPkeyAndCertFromMemory(const char *data, Security::ServerOptions &, bool trusted)
Definition: support.cc:769
void chainCertificatesToSSLContext(Security::ContextPointer &, Security::ServerOptions &)
Definition: support.cc:797
const char * sslGetCAAttribute(SSL *ssl, const char *attribute_name)
Definition: support.cc:698
Security::ContextPointer GenerateSslContext(CertificateProperties const &, Security::ServerOptions &, bool trusted)
Definition: support.cc:783
void useSquidUntrusted(SSL_CTX *sslContext)
Definition: support.cc:1154
RefCount< CertValidationResponse > CertValidationResponsePointer
Definition: support.h:79
bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &)
initialize a TLS server context with OpenSSL specific settings
Definition: support.cc:522
void const char HLPCB void * data
Definition: stub_helper.cc:16
bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port)
Definition: support.cc:852
GETX509PEM GetX509PEM
Definition: support.h:124
void missingChainCertificatesUrls(std::queue< SBuf > &URIs, Security::CertList const &serverCertificates, const Security::ContextPointer &context)
Definition: support.cc:1050
CertSignAlgorithm
Definition: gadgets.h:150
SBuf GETX509PEM(X509 *)
Definition: support.h:115
Definition: forward.h:14
GETX509ATTRIBUTE GetX509CAAttribute
Definition: support.h:121
bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, long flags)
initialize a TLS client context with OpenSSL specific settings
Definition: support.cc:531
std::shared_ptr< SSL_CTX > ContextPointer
Definition: Context.h:29
Security::ContextPointer createSSLContext(Security::CertPointer &x509, Security::PrivateKeyPointer &pkey, Security::ServerOptions &)
Create SSL context and apply ssl certificate and private key to it.
Definition: support.cc:752
void MaybeSetupRsaCallback(Security::ContextPointer &)
if required, setup callback for generating ephemeral RSA keys
Definition: support.cc:170
void SSL_add_untrusted_cert(SSL *ssl, X509 *cert)
Definition: support.cc:1062
static int port
Definition: ldap_backend.cc:69
int unsigned int const char *desc STUB void int len
Definition: stub_fd.cc:20
SBuf sslGetUserCertificatePEM(SSL *ssl)
Definition: support.cc:718
void const char * buf
Definition: stub_helper.cc:16
const char * uriOfIssuerIfMissing(X509 *cert, Security::CertList const &serverCertificates, const Security::ContextPointer &context)
Definition: support.cc:1029
void Initialize()
Definition: support.cc:479
bool configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port)
Definition: support.cc:829
bool checkX509ServerValidity(X509 *cert, const char *server)
Definition: support.cc:251
Definition: Xaction.cc:47
void InRamCertificateDbKey(const Ssl::CertificateProperties &certProperties, SBuf &key)
Definition: support.cc:1199
static char server[MAXLINE]
void setClientSNI(SSL *ssl, const char *fqdn)
Definition: support.cc:897
bool generateUntrustedCert(Security::CertPointer &untrustedCert, Security::PrivateKeyPointer &untrustedPkey, Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey)
Definition: support.cc:1176
int asn1timeToString(ASN1_TIME *tm, char *buf, int len)
Definition: support.cc:178
TLS squid.conf settings for a listening port.
Definition: ServerOptions.h:25
int matchX509CommonNames(X509 *peer_cert, void *check_data, int(*check_func)(void *check_data, ASN1_STRING *cn_data))
Definition: support.cc:192
BumpMode
Definition: support.h:135
const EVP_MD * DefaultSignHash
Definition: support.cc:43
GETX509ATTRIBUTE GetX509Fingerprint
Definition: support.h:127
void SetupVerifyCallback(Security::ContextPointer &)
set the certificate verify callback for a context
Definition: support.cc:393
void unloadSquidUntrusted()
Definition: support.cc:1166
const char * sslGetUserEmail(SSL *ssl)
Definition: support.cc:712
BIO * BIO_new_SBuf(SBuf *buf)
Definition: support.cc:1275
#define NULL
Definition: types.h:166
int size
Definition: ModDevPoll.cc:77
SBuf sslGetUserCertificateChainPEM(SSL *ssl)
Definition: support.cc:729

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors