support.h
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 83 SSL accelerator support */
10 
11 #ifndef SQUID_SSL_SUPPORT_H
12 #define SQUID_SSL_SUPPORT_H
13 
14 #if USE_OPENSSL
15 
16 #include "base/CbDataList.h"
17 #include "comm/forward.h"
18 #include "compat/openssl.h"
19 #include "sbuf/SBuf.h"
20 #include "security/forward.h"
21 #include "ssl/gadgets.h"
22 
23 #if HAVE_OPENSSL_X509V3_H
24 #include <openssl/x509v3.h>
25 #endif
26 #if HAVE_OPENSSL_ERR_H
27 #include <openssl/err.h>
28 #endif
29 #if HAVE_OPENSSL_ENGINE_H
30 #include <openssl/engine.h>
31 #endif
32 #include <queue>
33 #include <map>
34 
40 // Maximum certificate validation callbacks. OpenSSL versions exceeding this
41 // limit are deemed stuck in an infinite validation loop (OpenSSL bug #3090)
42 // and will trigger the SQUID_X509_V_ERR_INFINITE_VALIDATION error.
43 // Can be set to a number up to UINT32_MAX
44 #ifndef SQUID_CERT_VALIDATION_ITERATION_MAX
45 #define SQUID_CERT_VALIDATION_ITERATION_MAX 16384
46 #endif
47 
48 namespace AnyP
49 {
50 class PortCfg;
51 };
52 
53 namespace Ipc
54 {
55 class MemMap;
56 }
57 
58 namespace Ssl
59 {
60 
63 int AskPasswordCb(char *buf, int size, int rwflag, void *userdata);
64 
67 void Initialize();
68 
69 class CertValidationResponse;
71 
74 
77 
81 
84 
85 } //namespace Ssl
86 
88 const char *sslGetUserEmail(SSL *ssl);
89 
91 const char *sslGetUserAttribute(SSL *ssl, const char *attribute_name);
92 
94 const char *sslGetCAAttribute(SSL *ssl, const char *attribute_name);
95 
98 
101 
102 namespace Ssl
103 {
105 typedef char const *GETX509ATTRIBUTE(X509 *, const char *);
106 typedef SBuf GETX509PEM(X509 *);
107 
110 
113 
116 
119 
120 extern const EVP_MD *DefaultSignHash;
121 
127 
132 extern std::vector<const char *>BumpModeStr;
133 
138 inline const char *bumpMode(int bm)
139 {
140  return (0 <= bm && bm < Ssl::bumpEnd) ? Ssl::BumpModeStr.at(bm) : NULL;
141 }
142 
144 typedef std::multimap<SBuf, X509 *> CertsIndexedList;
145 
149 bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list);
150 
155 bool loadSquidUntrusted(const char *path);
156 
161 void unloadSquidUntrusted();
162 
169 void SSL_add_untrusted_cert(SSL *ssl, X509 *cert);
170 
172 const char *findIssuerUri(X509 *cert);
173 
177 Security::CertPointer findIssuerCertificate(X509 *cert, const STACK_OF(X509) *serverCertificates, const Security::ContextPointer &context);
178 
184 bool missingChainCertificatesUrls(std::queue<SBuf> &URIs, const STACK_OF(X509) &serverCertificates, const Security::ContextPointer &context);
185 
190 bool generateUntrustedCert(Security::CertPointer & untrustedCert, Security::PrivateKeyPointer & untrustedPkey, Security::CertPointer const & cert, Security::PrivateKeyPointer const & pkey);
191 
193 typedef std::multimap<SBuf, X509 *> CertsIndexedList;
194 
199 bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list);
200 
206 bool loadSquidUntrusted(const char *path);
207 
213 void unloadSquidUntrusted();
214 
220 
229 
236 
241 Security::ContextPointer createSSLContext(Security::CertPointer & x509, Security::PrivateKeyPointer & pkey, Security::ServerOptions &);
242 
248 
254 
260 bool configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port);
261 
267 bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port);
268 
274 void useSquidUntrusted(SSL_CTX *sslContext);
275 
285 int matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data, ASN1_STRING *cn_data));
286 
294 bool checkX509ServerValidity(X509 *cert, const char *server);
295 
304 int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
305 
311 void setClientSNI(SSL *ssl, const char *fqdn);
312 
317 void InRamCertificateDbKey(const Ssl::CertificateProperties &certProperties, SBuf &key);
318 
324 BIO *BIO_new_SBuf(SBuf *buf);
325 
333 
334 // TODO: Move other ssl_ex_index_* validation-related information here.
340 public:
344 
347 
350 
351  /* input parameters */
352 
357 
358  /* output parameters */
359 
364  bool hidMissingIssuer = false;
365 };
366 
367 } //namespace Ssl
368 
369 #if _SQUID_WINDOWS_
370 
371 #if defined(__cplusplus)
372 
374 namespace Squid
375 {
378 inline
380 int SSL_set_fd(SSL *ssl, int fd)
381 {
382  return ::SSL_set_fd(ssl, _get_osfhandle(fd));
383 }
384 
386 #define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
387 
388 } /* namespace Squid */
389 
390 #else
391 
393 #define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
394 
395 #endif /* __cplusplus */
396 
397 #endif /* _SQUID_WINDOWS_ */
398 
399 #endif /* USE_OPENSSL */
400 #endif /* SQUID_SSL_SUPPORT_H */
401 
const char * sslGetCAAttribute(SSL *ssl, const char *attribute_name)
Definition: support.cc:863
@ bumpPeek
Definition: support.h:126
bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, Security::ParsedPortFlags)
initialize a TLS client context with OpenSSL specific settings
Definition: support.cc:702
int asn1timeToString(ASN1_TIME *tm, char *buf, int len)
Definition: support.cc:181
void Initialize()
Definition: support.cc:650
void InRamCertificateDbKey(const Ssl::CertificateProperties &certProperties, SBuf &key)
Definition: support.cc:1388
CertSignAlgorithm
Definition: gadgets.h:150
bool missingChainCertificatesUrls(std::queue< SBuf > &URIs, const STACK_OF(X509) &serverCertificates, const Security::ContextPointer &context)
Definition: support.cc:1230
bool generateUntrustedCert(Security::CertPointer &untrustedCert, Security::PrivateKeyPointer &untrustedPkey, Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey)
Definition: support.cc:1365
std::shared_ptr< SSL_CTX > ContextPointer
Definition: Context.h:29
void MaybeSetupRsaCallback(Security::ContextPointer &)
if required, setup callback for generating ephemeral RSA keys
Definition: support.cc:171
void useSquidUntrusted(SSL_CTX *sslContext)
Definition: support.cc:1343
static VerifyCallbackParameters * Find(Security::Connection &)
Definition: support.cc:536
bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &)
initialize a TLS server context with OpenSSL specific settings
Definition: support.cc:693
GETX509ATTRIBUTE GetX509Fingerprint
Definition: support.h:118
Security::ContextPointer createSSLContext(Security::CertPointer &x509, Security::PrivateKeyPointer &pkey, Security::ServerOptions &)
Create SSL context and apply ssl certificate and private key to it.
Definition: support.cc:917
void SSL_add_untrusted_cert(SSL *ssl, X509 *cert)
int matchX509CommonNames(X509 *peer_cert, void *check_data, int(*check_func)(void *check_data, ASN1_STRING *cn_data))
Definition: support.cc:195
Definition: SBuf.h:87
std::unique_ptr< STACK_OF(X509), sk_X509_free_wrapper > X509_STACK_Pointer
Definition: gadgets.h:47
BumpMode
Definition: support.h:126
GETX509PEM GetX509PEM
Definition: support.h:115
static VerifyCallbackParameters & At(Security::Connection &)
Definition: support.cc:554
@ bumpTerminate
Definition: support.h:126
GETX509ATTRIBUTE GetX509CAAttribute
Definition: support.h:112
@ bumpEnd
Definition: support.h:126
static VerifyCallbackParameters * New(Security::Connection &)
Definition: support.cc:542
const char * sslGetUserEmail(SSL *ssl)
Definition: support.cc:877
BIO * BIO_new_SBuf(SBuf *buf)
Definition: support.cc:1465
static int port
Definition: ldap_backend.cc:69
bool checkX509ServerValidity(X509 *cert, const char *server)
Definition: support.cc:254
@ bumpServerFirst
Definition: support.h:126
int size
Definition: ModDevPoll.cc:76
Security::CertPointer findIssuerCertificate(X509 *cert, const STACK_OF(X509) *serverCertificates, const Security::ContextPointer &context)
Definition: support.cc:1204
#define NULL
Definition: types.h:166
const EVP_MD * DefaultSignHash
Definition: support.cc:44
Definition: forward.h:15
bool VerifyConnCertificates(Security::Connection &, const Ssl::X509_STACK_Pointer &extraCerts)
Definition: support.cc:444
TLS squid.conf settings for a remote server peer.
Definition: PeerOptions.h:24
void configureUnconfiguredSslContext(Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &)
Definition: support.cc:987
Definition: Xaction.cc:49
long ParsedPortFlags
Definition: forward.h:175
char const * GETX509ATTRIBUTE(X509 *, const char *)
Definition: support.h:105
const char * findIssuerUri(X509 *cert)
finds certificate issuer URI in the Authority Info Access extension
Definition: support.cc:1082
SSL Connection
Definition: Session.h:45
Security::ContextPointer GenerateSslContextUsingPkeyAndCertFromMemory(const char *data, Security::ServerOptions &, bool trusted)
Definition: support.cc:934
std::multimap< SBuf, X509 * > CertsIndexedList
certificates indexed by issuer name
Definition: support.h:144
SBuf sslGetUserCertificateChainPEM(SSL *ssl)
Definition: support.cc:894
Security::ContextPointer GenerateSslContext(CertificateProperties const &, Security::ServerOptions &, bool trusted)
Definition: support.cc:948
const char * sslGetUserAttribute(SSL *ssl, const char *attribute_name)
Definition: support.cc:850
void unloadSquidUntrusted()
Definition: support.cc:1355
@ bumpStare
Definition: support.h:126
std::vector< const char * > BumpModeStr
Definition: support.cc:46
TLS squid.conf settings for a listening port.
Definition: ServerOptions.h:26
void chainCertificatesToSSLContext(Security::ContextPointer &, Security::ServerOptions &)
Definition: support.cc:962
void DisablePeerVerification(Security::ContextPointer &)
Definition: support.cc:435
int AskPasswordCb(char *buf, int size, int rwflag, void *userdata)
Definition: support.cc:64
@ bumpNone
Definition: support.h:126
SBuf GETX509PEM(X509 *)
Definition: support.h:106
bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port)
Definition: support.cc:1017
static char server[MAXLINE]
bool verifySslCertificate(const Security::ContextPointer &, CertificateProperties const &)
Definition: support.cc:1037
GETX509ATTRIBUTE GetX509UserAttribute
Definition: support.h:109
@ bumpBump
Definition: support.h:126
void ConfigurePeerVerification(Security::ContextPointer &, const Security::ParsedPortFlags)
set the certificate verify callback for a context
Definition: support.cc:408
bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list)
Definition: support.cc:1112
STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
Definition: openssl.h:237
@ bumpClientFirst
Definition: support.h:126
bool configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port)
Definition: support.cc:994
const char * bumpMode(int bm)
Definition: support.h:138
bool loadSquidUntrusted(const char *path)
Definition: support.cc:1349
SBuf sslGetUserCertificatePEM(SSL *ssl)
Definition: support.cc:883
RefCount< CertValidationResponse > CertValidationResponsePointer
Definition: support.h:69
void setClientSNI(SSL *ssl, const char *fqdn)
Definition: support.cc:1062
Definition: IpcIoFile.h:24
@ bumpSplice
Definition: support.h:126

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors