support.h
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9/* DEBUG: section 83 SSL accelerator support */
10
11#ifndef SQUID_SSL_SUPPORT_H
12#define SQUID_SSL_SUPPORT_H
13
14#if USE_OPENSSL
15
16#include "base/CbDataList.h"
17#include "comm/forward.h"
18#include "compat/openssl.h"
19#include "sbuf/SBuf.h"
20#include "security/Session.h"
21#include "ssl/gadgets.h"
22
23#if HAVE_OPENSSL_X509V3_H
24#include <openssl/x509v3.h>
25#endif
26#if HAVE_OPENSSL_ERR_H
27#include <openssl/err.h>
28#endif
29#if HAVE_OPENSSL_ENGINE_H
30#include <openssl/engine.h>
31#endif
32#include <queue>
33#include <map>
34
40// Maximum certificate validation callbacks. OpenSSL versions exceeding this
41// limit are deemed stuck in an infinite validation loop (OpenSSL bug #3090)
42// and will trigger the SQUID_X509_V_ERR_INFINITE_VALIDATION error.
43// Can be set to a number up to UINT32_MAX
44#ifndef SQUID_CERT_VALIDATION_ITERATION_MAX
45#define SQUID_CERT_VALIDATION_ITERATION_MAX 16384
46#endif
47
48namespace AnyP
49{
50class PortCfg;
51};
52
53namespace Ipc
54{
55class MemMap;
56}
57
58namespace Ssl
59{
60
63int AskPasswordCb(char *buf, int size, int rwflag, void *userdata);
64
67void Initialize();
68
69class CertValidationResponse;
71
74
77
81
84
85} //namespace Ssl
86
88const char *sslGetUserEmail(SSL *ssl);
89
91const char *sslGetUserAttribute(SSL *ssl, const char *attribute_name);
92
94const char *sslGetCAAttribute(SSL *ssl, const char *attribute_name);
95
98
101
102namespace Ssl
103{
105typedef char const *GETX509ATTRIBUTE(X509 *, const char *);
106typedef SBuf GETX509PEM(X509 *);
107
110
113
116
119
120extern const EVP_MD *DefaultSignHash;
121
127
132extern std::vector<const char *>BumpModeStr;
133
138inline const char *bumpMode(int bm)
139{
140 return (0 <= bm && bm < Ssl::bumpEnd) ? Ssl::BumpModeStr.at(bm) : nullptr;
141}
142
144typedef std::multimap<SBuf, X509 *> CertsIndexedList;
145
149bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list);
150
155bool loadSquidUntrusted(const char *path);
156
162
169void SSL_add_untrusted_cert(SSL *ssl, X509 *cert);
170
172const char *findIssuerUri(X509 *cert);
173
177Security::CertPointer findIssuerCertificate(X509 *cert, const STACK_OF(X509) *serverCertificates, const Security::ContextPointer &context);
178
184bool missingChainCertificatesUrls(std::queue<SBuf> &URIs, const STACK_OF(X509) &serverCertificates, const Security::ContextPointer &context);
185
190bool generateUntrustedCert(Security::CertPointer & untrustedCert, Security::PrivateKeyPointer & untrustedPkey, Security::CertPointer const & cert, Security::PrivateKeyPointer const & pkey);
191
193typedef std::multimap<SBuf, X509 *> CertsIndexedList;
194
199bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list);
200
206bool loadSquidUntrusted(const char *path);
207
214
220
229
236
242
248
254
260bool configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port);
261
267bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port);
268
274void useSquidUntrusted(SSL_CTX *sslContext);
275
285int matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data, ASN1_STRING *cn_data));
286
294bool checkX509ServerValidity(X509 *cert, const char *server);
295
304int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
305
311void setClientSNI(SSL *ssl, const char *fqdn);
312
317void InRamCertificateDbKey(const Ssl::CertificateProperties &certProperties, SBuf &key);
318
324BIO *BIO_new_SBuf(SBuf *buf);
325
333
334// TODO: Move other ssl_ex_index_* validation-related information here.
340public:
344
347
350
351 /* input parameters */
352
357
358 /* output parameters */
359
364 bool hidMissingIssuer = false;
365};
366
367} //namespace Ssl
368
369#if _SQUID_WINDOWS_
370
371#if defined(__cplusplus)
372
374namespace Squid
375{
379inline
380int SSL_set_fd(SSL *ssl, int fd)
381{
382 return ::SSL_set_fd(ssl, _get_osfhandle(fd));
383}
384
386#define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
387
388} /* namespace Squid */
389
390#else
391
393#define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
394
395#endif /* __cplusplus */
396
397#endif /* _SQUID_WINDOWS_ */
398
399#endif /* USE_OPENSSL */
400#endif /* SQUID_SSL_SUPPORT_H */
401
int size
Definition: ModDevPoll.cc:75
static char server[MAXLINE]
Definition: SBuf.h:94
TLS squid.conf settings for a remote server peer.
Definition: PeerOptions.h:26
TLS squid.conf settings for a listening port.
Definition: ServerOptions.h:26
static VerifyCallbackParameters & At(Security::Connection &)
Definition: support.cc:551
static VerifyCallbackParameters * New(Security::Connection &)
Definition: support.cc:539
static VerifyCallbackParameters * Find(Security::Connection &)
Definition: support.cc:533
static int port
Definition: ldap_backend.cc:70
void useSquidUntrusted(SSL_CTX *sslContext)
Definition: support.cc:1345
GETX509ATTRIBUTE GetX509UserAttribute
Definition: support.h:109
Security::ContextPointer GenerateSslContext(CertificateProperties const &, Security::ServerOptions &, bool trusted)
Definition: support.cc:956
GETX509PEM GetX509PEM
Definition: support.h:115
std::vector< const char * > BumpModeStr
Definition: support.cc:46
const char * bumpMode(int bm)
Definition: support.h:138
SBuf sslGetUserCertificatePEM(SSL *ssl)
Definition: support.cc:891
bool configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port)
Definition: support.cc:1002
bool generateUntrustedCert(Security::CertPointer &untrustedCert, Security::PrivateKeyPointer &untrustedPkey, Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey)
Definition: support.cc:1367
void chainCertificatesToSSLContext(Security::ContextPointer &, Security::ServerOptions &)
Definition: support.cc:970
void InRamCertificateDbKey(const Ssl::CertificateProperties &certProperties, SBuf &key)
Definition: support.cc:1390
GETX509ATTRIBUTE GetX509CAAttribute
Definition: support.h:112
const char * sslGetUserAttribute(SSL *ssl, const char *attribute_name)
Definition: support.cc:858
BIO * BIO_new_SBuf(SBuf *buf)
Definition: support.cc:1467
Security::ContextPointer createSSLContext(Security::CertPointer &x509, Security::PrivateKeyPointer &pkey, Security::ServerOptions &)
Create SSL context and apply ssl certificate and private key to it.
Definition: support.cc:925
bool verifySslCertificate(const Security::ContextPointer &, CertificateProperties const &)
Definition: support.cc:1045
bool checkX509ServerValidity(X509 *cert, const char *server)
Definition: support.cc:254
bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port)
Definition: support.cc:1025
bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list)
Definition: support.cc:1120
int asn1timeToString(ASN1_TIME *tm, char *buf, int len)
Definition: support.cc:181
const char * sslGetCAAttribute(SSL *ssl, const char *attribute_name)
Definition: support.cc:871
Security::ContextPointer GenerateSslContextUsingPkeyAndCertFromMemory(const char *data, Security::ServerOptions &, bool trusted)
Definition: support.cc:942
GETX509ATTRIBUTE GetX509Fingerprint
Definition: support.h:118
SBuf sslGetUserCertificateChainPEM(SSL *ssl)
Definition: support.cc:902
void configureUnconfiguredSslContext(Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &)
Definition: support.cc:995
void setClientSNI(SSL *ssl, const char *fqdn)
Definition: support.cc:1070
bool loadSquidUntrusted(const char *path)
Definition: support.cc:1351
const char * sslGetUserEmail(SSL *ssl)
Definition: support.cc:885
BumpMode
Definition: support.h:126
void unloadSquidUntrusted()
Definition: support.cc:1357
int matchX509CommonNames(X509 *peer_cert, void *check_data, int(*check_func)(void *check_data, ASN1_STRING *cn_data))
Definition: support.cc:195
char const * GETX509ATTRIBUTE(X509 *, const char *)
Definition: support.h:105
@ bumpTerminate
Definition: support.h:126
@ bumpEnd
Definition: support.h:126
@ bumpPeek
Definition: support.h:126
@ bumpClientFirst
Definition: support.h:126
@ bumpNone
Definition: support.h:126
@ bumpStare
Definition: support.h:126
@ bumpSplice
Definition: support.h:126
@ bumpBump
Definition: support.h:126
@ bumpServerFirst
Definition: support.h:126
CertSignAlgorithm
Definition: gadgets.h:166
Definition: forward.h:15
Definition: IpcIoFile.h:24
std::shared_ptr< SSL_CTX > ContextPointer
Definition: Context.h:29
SSL Connection
Definition: Session.h:45
long ParsedPortFlags
Definition: forward.h:202
Definition: Xaction.cc:40
SBuf GETX509PEM(X509 *)
Definition: support.h:106
void DisablePeerVerification(Security::ContextPointer &)
Definition: support.cc:432
bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, Security::ParsedPortFlags)
initialize a TLS client context with OpenSSL specific settings
Definition: support.cc:710
RefCount< CertValidationResponse > CertValidationResponsePointer
Definition: support.h:70
void SSL_add_untrusted_cert(SSL *ssl, X509 *cert)
bool VerifyConnCertificates(Security::Connection &, const Ssl::X509_STACK_Pointer &extraCerts)
Definition: support.cc:441
Security::CertPointer findIssuerCertificate(X509 *cert, const STACK_OF(X509) *serverCertificates, const Security::ContextPointer &context)
Definition: support.cc:1207
bool missingChainCertificatesUrls(std::queue< SBuf > &URIs, const STACK_OF(X509) &serverCertificates, const Security::ContextPointer &context)
Definition: support.cc:1233
void Initialize()
Definition: support.cc:651
const EVP_MD * DefaultSignHash
Definition: support.cc:44
int AskPasswordCb(char *buf, int size, int rwflag, void *userdata)
Definition: support.cc:64
void MaybeSetupRsaCallback(Security::ContextPointer &)
if required, setup callback for generating ephemeral RSA keys
Definition: support.cc:171
const char * findIssuerUri(X509 *cert)
finds certificate issuer URI in the Authority Info Access extension
Definition: support.cc:1090
std::unique_ptr< STACK_OF(X509), sk_X509_free_wrapper > X509_STACK_Pointer
Definition: gadgets.h:50
std::multimap< SBuf, X509 * > CertsIndexedList
certificates indexed by issuer name
Definition: support.h:144
void ConfigurePeerVerification(Security::ContextPointer &, const Security::ParsedPortFlags)
set the certificate verify callback for a context
Definition: support.cc:405
bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &)
initialize a TLS server context with OpenSSL specific settings
Definition: support.cc:701
STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
Definition: openssl.h:237

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors