support.h
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 83 SSL accelerator support */
10 
11 #ifndef SQUID_SSL_SUPPORT_H
12 #define SQUID_SSL_SUPPORT_H
13 
14 #if USE_OPENSSL
15 
16 #include "base/CbDataList.h"
17 #include "comm/forward.h"
18 #include "compat/openssl.h"
19 #include "sbuf/SBuf.h"
20 #include "security/forward.h"
21 #include "ssl/gadgets.h"
22 
23 #if HAVE_OPENSSL_X509V3_H
24 #include <openssl/x509v3.h>
25 #endif
26 #if HAVE_OPENSSL_ERR_H
27 #include <openssl/err.h>
28 #endif
29 #if HAVE_OPENSSL_ENGINE_H
30 #include <openssl/engine.h>
31 #endif
32 #include <queue>
33 #include <map>
34 
40 // Custom SSL errors; assumes all official errors are positive
41 #define SQUID_X509_V_ERR_INFINITE_VALIDATION -4
42 #define SQUID_X509_V_ERR_CERT_CHANGE -3
43 #define SQUID_ERR_SSL_HANDSHAKE -2
44 #define SQUID_X509_V_ERR_DOMAIN_MISMATCH -1
45 // All SSL errors range: from smallest (negative) custom to largest SSL error
46 #define SQUID_SSL_ERROR_MIN SQUID_X509_V_ERR_CERT_CHANGE
47 #define SQUID_SSL_ERROR_MAX INT_MAX
48 
49 // Maximum certificate validation callbacks. OpenSSL versions exceeding this
50 // limit are deemed stuck in an infinite validation loop (OpenSSL bug #3090)
51 // and will trigger the SQUID_X509_V_ERR_INFINITE_VALIDATION error.
52 // Can be set to a number up to UINT32_MAX
53 #ifndef SQUID_CERT_VALIDATION_ITERATION_MAX
54 #define SQUID_CERT_VALIDATION_ITERATION_MAX 16384
55 #endif
56 
57 namespace AnyP
58 {
59 class PortCfg;
60 };
61 
62 namespace Ipc
63 {
64 class MemMap;
65 }
66 
67 namespace Ssl
68 {
69 
72 int AskPasswordCb(char *buf, int size, int rwflag, void *userdata);
73 
76 void Initialize();
77 
78 class ErrorDetail;
81 
84 
87 
90 
93 
94 } //namespace Ssl
95 
97 const char *sslGetUserEmail(SSL *ssl);
98 
100 const char *sslGetUserAttribute(SSL *ssl, const char *attribute_name);
101 
103 const char *sslGetCAAttribute(SSL *ssl, const char *attribute_name);
104 
106 const char *sslGetUserCertificatePEM(SSL *ssl);
107 
109 const char *sslGetUserCertificateChainPEM(SSL *ssl);
110 
111 namespace Ssl
112 {
114 typedef char const *GETX509ATTRIBUTE(X509 *, const char *);
115 
118 
121 
124 
125 extern const EVP_MD *DefaultSignHash;
126 
132 
134 
139 extern std::vector<const char *>BumpModeStr;
140 
145 inline const char *bumpMode(int bm)
146 {
147  return (0 <= bm && bm < Ssl::bumpEnd) ? Ssl::BumpModeStr.at(bm) : NULL;
148 }
149 
151 typedef std::multimap<SBuf, X509 *> CertsIndexedList;
152 
156 bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list);
157 
162 bool loadSquidUntrusted(const char *path);
163 
168 void unloadSquidUntrusted();
169 
176 void SSL_add_untrusted_cert(SSL *ssl, X509 *cert);
177 
182 const char *uriOfIssuerIfMissing(X509 *cert, Security::CertList const &serverCertificates, const Security::ContextPointer &context);
183 
188 void missingChainCertificatesUrls(std::queue<SBuf> &URIs, Security::CertList const &serverCertificates, const Security::ContextPointer &context);
189 
194 bool generateUntrustedCert(Security::CertPointer & untrustedCert, Security::PrivateKeyPointer & untrustedPkey, Security::CertPointer const & cert, Security::PrivateKeyPointer const & pkey);
195 
197 typedef std::multimap<SBuf, X509 *> CertsIndexedList;
198 
203 bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list);
204 
210 bool loadSquidUntrusted(const char *path);
211 
217 void unloadSquidUntrusted();
218 
224 
233 
240 
245 Security::ContextPointer createSSLContext(Security::CertPointer & x509, Security::PrivateKeyPointer & pkey, Security::ServerOptions &);
246 
252 
258 
264 bool configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port);
265 
271 bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port);
272 
278 void useSquidUntrusted(SSL_CTX *sslContext);
279 
289 int matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data, ASN1_STRING *cn_data));
290 
298 bool checkX509ServerValidity(X509 *cert, const char *server);
299 
308 int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
309 
315 void setClientSNI(SSL *ssl, const char *fqdn);
316 
321 void InRamCertificateDbKey(const Ssl::CertificateProperties &certProperties, SBuf &key);
322 
328 BIO *BIO_new_SBuf(SBuf *buf);
329 } //namespace Ssl
330 
331 #if _SQUID_WINDOWS_
332 
333 #if defined(__cplusplus)
334 
336 namespace Squid
337 {
340 inline
342 int SSL_set_fd(SSL *ssl, int fd)
343 {
344  return ::SSL_set_fd(ssl, _get_osfhandle(fd));
345 }
346 
348 #define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
349 
350 } /* namespace Squid */
351 
352 #else
353 
355 #define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
356 
357 #endif /* __cplusplus */
358 
359 #endif /* _SQUID_WINDOWS_ */
360 
361 #endif /* USE_OPENSSL */
362 #endif /* SQUID_SSL_SUPPORT_H */
363 
std::multimap< SBuf, X509 * > CertsIndexedList
certificates indexed by issuer name
Definition: support.h:151
GETX509ATTRIBUTE GetX509UserAttribute
Definition: support.h:117
std::vector< const char * > BumpModeStr
Definition: support.cc:45
bool verifySslCertificate(Security::ContextPointer &, CertificateProperties const &)
Definition: support.cc:902
Definition: SBuf.h:86
void configureUnconfiguredSslContext(Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &)
Definition: support.cc:852
int AskPasswordCb(char *buf, int size, int rwflag, void *userdata)
Definition: support.cc:63
char const * GETX509ATTRIBUTE(X509 *, const char *)
Definition: support.h:114
std::list< Security::CertPointer > CertList
Definition: forward.h:80
const char * bumpMode(int bm)
Definition: support.h:145
bool loadSquidUntrusted(const char *path)
Definition: support.cc:1190
bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list)
Definition: support.cc:977
BumpStep
Definition: support.h:133
const char * sslGetUserAttribute(SSL *ssl, const char *attribute_name)
Definition: support.cc:672
TLS squid.conf settings for a remote server peer.
Definition: PeerOptions.h:22
Security::ContextPointer GenerateSslContextUsingPkeyAndCertFromMemory(const char *data, Security::ServerOptions &, bool trusted)
Definition: support.cc:799
void chainCertificatesToSSLContext(Security::ContextPointer &, Security::ServerOptions &)
Definition: support.cc:827
const char * sslGetCAAttribute(SSL *ssl, const char *attribute_name)
Definition: support.cc:685
Security::ContextPointer GenerateSslContext(CertificateProperties const &, Security::ServerOptions &, bool trusted)
Definition: support.cc:813
void useSquidUntrusted(SSL_CTX *sslContext)
Definition: support.cc:1184
RefCount< CertValidationResponse > CertValidationResponsePointer
Definition: support.h:79
bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &)
initialize a TLS server context with OpenSSL specific settings
Definition: support.cc:522
void const char HLPCB void * data
Definition: stub_helper.cc:16
bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port)
Definition: support.cc:882
const char * sslGetUserCertificateChainPEM(SSL *ssl)
Definition: support.cc:743
void missingChainCertificatesUrls(std::queue< SBuf > &URIs, Security::CertList const &serverCertificates, const Security::ContextPointer &context)
Definition: support.cc:1080
CertSignAlgorithm
Definition: gadgets.h:150
GETX509ATTRIBUTE GetX509CAAttribute
Definition: support.h:120
bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, long flags)
initialize a TLS client context with OpenSSL specific settings
Definition: support.cc:531
std::shared_ptr< SSL_CTX > ContextPointer
Definition: Context.h:29
Security::ContextPointer createSSLContext(Security::CertPointer &x509, Security::PrivateKeyPointer &pkey, Security::ServerOptions &)
Create SSL context and apply ssl certificate and private key to it.
Definition: support.cc:782
void MaybeSetupRsaCallback(Security::ContextPointer &)
if required, setup callback for generating ephemeral RSA keys
Definition: support.cc:170
void SSL_add_untrusted_cert(SSL *ssl, X509 *cert)
Definition: support.cc:1092
static int port
Definition: ldap_backend.cc:69
int unsigned int const char *desc STUB void int len
Definition: stub_fd.cc:20
void const char * buf
Definition: stub_helper.cc:16
const char * uriOfIssuerIfMissing(X509 *cert, Security::CertList const &serverCertificates, const Security::ContextPointer &context)
Definition: support.cc:1059
void Initialize()
Definition: support.cc:479
bool configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port)
Definition: support.cc:859
bool checkX509ServerValidity(X509 *cert, const char *server)
Definition: support.cc:251
void InRamCertificateDbKey(const Ssl::CertificateProperties &certProperties, SBuf &key)
Definition: support.cc:1229
static char server[MAXLINE]
void setClientSNI(SSL *ssl, const char *fqdn)
Definition: support.cc:927
bool generateUntrustedCert(Security::CertPointer &untrustedCert, Security::PrivateKeyPointer &untrustedPkey, Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey)
Definition: support.cc:1206
int asn1timeToString(ASN1_TIME *tm, char *buf, int len)
Definition: support.cc:178
TLS squid.conf settings for a listening port.
Definition: ServerOptions.h:25
const char * sslGetUserCertificatePEM(SSL *ssl)
Definition: support.cc:705
int matchX509CommonNames(X509 *peer_cert, void *check_data, int(*check_func)(void *check_data, ASN1_STRING *cn_data))
Definition: support.cc:192
BumpMode
Definition: support.h:131
const EVP_MD * DefaultSignHash
Definition: support.cc:43
GETX509ATTRIBUTE GetX509Fingerprint
Definition: support.h:123
void SetupVerifyCallback(Security::ContextPointer &)
set the certificate verify callback for a context
Definition: support.cc:393
void unloadSquidUntrusted()
Definition: support.cc:1196
const char * sslGetUserEmail(SSL *ssl)
Definition: support.cc:699
BIO * BIO_new_SBuf(SBuf *buf)
Definition: support.cc:1305
#define NULL
Definition: types.h:166
int size
Definition: ModDevPoll.cc:77

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors