support.h
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9/* DEBUG: section 83 SSL accelerator support */
10
11#ifndef SQUID_SSL_SUPPORT_H
12#define SQUID_SSL_SUPPORT_H
13
14#if USE_OPENSSL
15
16#include "base/CbDataList.h"
17#include "comm/forward.h"
18#include "compat/openssl.h"
19#include "sbuf/SBuf.h"
20#include "security/Session.h"
21#include "ssl/gadgets.h"
22
23#if HAVE_OPENSSL_X509V3_H
24#include <openssl/x509v3.h>
25#endif
26#if HAVE_OPENSSL_ERR_H
27#include <openssl/err.h>
28#endif
29#if HAVE_OPENSSL_ENGINE_H
30#include <openssl/engine.h>
31#endif
32#include <queue>
33#include <map>
34
40// Maximum certificate validation callbacks. OpenSSL versions exceeding this
41// limit are deemed stuck in an infinite validation loop (OpenSSL bug #3090)
42// and will trigger the SQUID_X509_V_ERR_INFINITE_VALIDATION error.
43// Can be set to a number up to UINT32_MAX
44#ifndef SQUID_CERT_VALIDATION_ITERATION_MAX
45#define SQUID_CERT_VALIDATION_ITERATION_MAX 16384
46#endif
47
48namespace AnyP
49{
50class PortCfg;
51};
52
53namespace Ipc
54{
55class MemMap;
56}
57
58namespace Ssl
59{
60
63int AskPasswordCb(char *buf, int size, int rwflag, void *userdata);
64
67void Initialize();
68
69class CertValidationResponse;
70typedef RefCount<CertValidationResponse> CertValidationResponsePointer;
71
73bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &);
74
76bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, Security::ParsedPortFlags);
77
79void ConfigurePeerVerification(Security::ContextPointer &, const Security::ParsedPortFlags);
80void DisablePeerVerification(Security::ContextPointer &);
81
83void MaybeSetupRsaCallback(Security::ContextPointer &);
84
85} //namespace Ssl
86
88const char *sslGetUserEmail(SSL *ssl);
89
91const char *sslGetUserAttribute(SSL *ssl, const char *attribute_name);
92
94const char *sslGetCAAttribute(SSL *ssl, const char *attribute_name);
95
97SBuf sslGetUserCertificatePEM(SSL *ssl);
98
100SBuf sslGetUserCertificateChainPEM(SSL *ssl);
101
102namespace Ssl
103{
105typedef char const *GETX509ATTRIBUTE(X509 *, const char *);
106typedef SBuf GETX509PEM(X509 *);
107
109GETX509ATTRIBUTE GetX509UserAttribute;
110
112GETX509ATTRIBUTE GetX509CAAttribute;
113
115GETX509PEM GetX509PEM;
116
118GETX509ATTRIBUTE GetX509Fingerprint;
119
120extern const EVP_MD *DefaultSignHash;
121
126enum BumpMode {bumpNone = 0, bumpClientFirst, bumpServerFirst, bumpPeek, bumpStare, bumpBump, bumpSplice, bumpTerminate, /*bumpErr,*/ bumpEnd};
127
132extern std::vector<const char *>BumpModeStr;
133
138inline const char *bumpMode(int bm)
139{
140 return (0 <= bm && bm < Ssl::bumpEnd) ? Ssl::BumpModeStr.at(bm) : nullptr;
141}
142
144typedef std::multimap<SBuf, X509 *> CertsIndexedList;
145
149bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list);
150
155bool loadSquidUntrusted(const char *path);
156
161void unloadSquidUntrusted();
162
169void SSL_add_untrusted_cert(SSL *ssl, X509 *cert);
170
172const char *findIssuerUri(X509 *cert);
173
177Security::CertPointer findIssuerCertificate(X509 *cert, const STACK_OF(X509) *serverCertificates, const Security::ContextPointer &context);
178
184bool missingChainCertificatesUrls(std::queue<SBuf> &URIs, const STACK_OF(X509) &serverCertificates, const Security::ContextPointer &context);
185
190bool generateUntrustedCert(Security::CertPointer & untrustedCert, Security::PrivateKeyPointer & untrustedPkey, Security::CertPointer const & cert, Security::PrivateKeyPointer const & pkey);
191
193typedef std::multimap<SBuf, X509 *> CertsIndexedList;
194
199bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list);
200
206bool loadSquidUntrusted(const char *path);
207
213void unloadSquidUntrusted();
214
219Security::ContextPointer GenerateSslContext(CertificateProperties const &, Security::ServerOptions &, bool trusted);
220
228bool verifySslCertificate(const Security::ContextPointer &, CertificateProperties const &);
229
235Security::ContextPointer GenerateSslContextUsingPkeyAndCertFromMemory(const char * data, Security::ServerOptions &, bool trusted);
236
241Security::ContextPointer createSSLContext(Security::CertPointer & x509, Security::PrivateKeyPointer & pkey, Security::ServerOptions &);
242
247void chainCertificatesToSSLContext(Security::ContextPointer &, Security::ServerOptions &);
248
253void configureUnconfiguredSslContext(Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &);
254
260bool configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port);
261
267bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port);
268
274void useSquidUntrusted(SSL_CTX *sslContext);
275
285int matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data, ASN1_STRING *cn_data));
286
294bool checkX509ServerValidity(X509 *cert, const char *server);
295
304int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
305
311void setClientSNI(SSL *ssl, const char *fqdn);
312
317void InRamCertificateDbKey(const Ssl::CertificateProperties &certProperties, SBuf &key);
318
324BIO *BIO_new_SBuf(SBuf *buf);
325
332bool VerifyConnCertificates(Security::Connection &, const Ssl::X509_STACK_Pointer &extraCerts);
333
334// TODO: Move other ssl_ex_index_* validation-related information here.
339class VerifyCallbackParameters {
340public:
343 static VerifyCallbackParameters *New(Security::Connection &);
344
346 static VerifyCallbackParameters &At(Security::Connection &);
347
349 static VerifyCallbackParameters *Find(Security::Connection &);
350
351 /* input parameters */
352
356 bool callerHandlesMissingCertificates = false;
357
358 /* output parameters */
359
364 bool hidMissingIssuer = false;
365};
366
367} //namespace Ssl
368
369#if _SQUID_WINDOWS_
370
371#if defined(__cplusplus)
372
374namespace Squid
375{
379inline
380int SSL_set_fd(SSL *ssl, int fd)
381{
382 return ::SSL_set_fd(ssl, _get_osfhandle(fd));
383}
384
386#define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
387
388} /* namespace Squid */
389
390#else
391
393#define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
394
395#endif /* __cplusplus */
396
397#endif /* _SQUID_WINDOWS_ */
398
399#endif /* USE_OPENSSL */
400#endif /* SQUID_SSL_SUPPORT_H */
401
size
int size
Definition: ModDevPoll.cc:75
server
static char server[MAXLINE]
Definition: basic_radius_auth.cc:110
SBuf
Definition: SBuf.h:94
Security::PeerOptions
TLS squid.conf settings for a remote server peer.
Definition: PeerOptions.h:26
Security::ServerOptions
TLS squid.conf settings for a listening port.
Definition: ServerOptions.h:26
Ssl::VerifyCallbackParameters::At
static VerifyCallbackParameters & At(Security::Connection &)
Definition: support.cc:551
Ssl::VerifyCallbackParameters::New
static VerifyCallbackParameters * New(Security::Connection &)
Definition: support.cc:539
Ssl::VerifyCallbackParameters::Find
static VerifyCallbackParameters * Find(Security::Connection &)
Definition: support.cc:533
port
static int port
Definition: ldap_backend.cc:70
Ssl::useSquidUntrusted
void useSquidUntrusted(SSL_CTX *sslContext)
Definition: support.cc:1345
Ssl::GetX509UserAttribute
GETX509ATTRIBUTE GetX509UserAttribute
Definition: support.h:109
Ssl::GenerateSslContext
Security::ContextPointer GenerateSslContext(CertificateProperties const &, Security::ServerOptions &, bool trusted)
Definition: support.cc:956
Ssl::GetX509PEM
GETX509PEM GetX509PEM
Definition: support.h:115
Ssl::BumpModeStr
std::vector< const char * > BumpModeStr
Definition: support.cc:46
Ssl::bumpMode
const char * bumpMode(int bm)
Definition: support.h:138
sslGetUserCertificatePEM
SBuf sslGetUserCertificatePEM(SSL *ssl)
Definition: support.cc:891
Ssl::configureSSL
bool configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port)
Definition: support.cc:1002
Ssl::generateUntrustedCert
bool generateUntrustedCert(Security::CertPointer &untrustedCert, Security::PrivateKeyPointer &untrustedPkey, Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey)
Definition: support.cc:1367
Ssl::chainCertificatesToSSLContext
void chainCertificatesToSSLContext(Security::ContextPointer &, Security::ServerOptions &)
Definition: support.cc:970
Ssl::InRamCertificateDbKey
void InRamCertificateDbKey(const Ssl::CertificateProperties &certProperties, SBuf &key)
Definition: support.cc:1390
Ssl::GetX509CAAttribute
GETX509ATTRIBUTE GetX509CAAttribute
Definition: support.h:112
sslGetUserAttribute
const char * sslGetUserAttribute(SSL *ssl, const char *attribute_name)
Definition: support.cc:858
Ssl::BIO_new_SBuf
BIO * BIO_new_SBuf(SBuf *buf)
Definition: support.cc:1467
Ssl::createSSLContext
Security::ContextPointer createSSLContext(Security::CertPointer &x509, Security::PrivateKeyPointer &pkey, Security::ServerOptions &)
Create SSL context and apply ssl certificate and private key to it.
Definition: support.cc:925
Ssl::verifySslCertificate
bool verifySslCertificate(const Security::ContextPointer &, CertificateProperties const &)
Definition: support.cc:1045
Ssl::checkX509ServerValidity
bool checkX509ServerValidity(X509 *cert, const char *server)
Definition: support.cc:254
Ssl::configureSSLUsingPkeyAndCertFromMemory
bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port)
Definition: support.cc:1025
Ssl::loadCerts
bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list)
Definition: support.cc:1120
Ssl::asn1timeToString
int asn1timeToString(ASN1_TIME *tm, char *buf, int len)
Definition: support.cc:181
sslGetCAAttribute
const char * sslGetCAAttribute(SSL *ssl, const char *attribute_name)
Definition: support.cc:871
Ssl::GenerateSslContextUsingPkeyAndCertFromMemory
Security::ContextPointer GenerateSslContextUsingPkeyAndCertFromMemory(const char *data, Security::ServerOptions &, bool trusted)
Definition: support.cc:942
Ssl::GetX509Fingerprint
GETX509ATTRIBUTE GetX509Fingerprint
Definition: support.h:118
sslGetUserCertificateChainPEM
SBuf sslGetUserCertificateChainPEM(SSL *ssl)
Definition: support.cc:902
Ssl::configureUnconfiguredSslContext
void configureUnconfiguredSslContext(Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &)
Definition: support.cc:995
Ssl::setClientSNI
void setClientSNI(SSL *ssl, const char *fqdn)
Definition: support.cc:1070
Ssl::loadSquidUntrusted
bool loadSquidUntrusted(const char *path)
Definition: support.cc:1351
sslGetUserEmail
const char * sslGetUserEmail(SSL *ssl)
Definition: support.cc:885
Ssl::BumpMode
BumpMode
Definition: support.h:126
Ssl::unloadSquidUntrusted
void unloadSquidUntrusted()
Definition: support.cc:1357
Ssl::matchX509CommonNames
int matchX509CommonNames(X509 *peer_cert, void *check_data, int(*check_func)(void *check_data, ASN1_STRING *cn_data))
Definition: support.cc:195
Ssl::GETX509ATTRIBUTE
char const * GETX509ATTRIBUTE(X509 *, const char *)
Definition: support.h:105
Ssl::bumpTerminate
@ bumpTerminate
Definition: support.h:126
Ssl::bumpEnd
@ bumpEnd
Definition: support.h:126
Ssl::bumpPeek
@ bumpPeek
Definition: support.h:126
Ssl::bumpClientFirst
@ bumpClientFirst
Definition: support.h:126
Ssl::bumpNone
@ bumpNone
Definition: support.h:126
Ssl::bumpStare
@ bumpStare
Definition: support.h:126
Ssl::bumpSplice
@ bumpSplice
Definition: support.h:126
Ssl::bumpBump
@ bumpBump
Definition: support.h:126
Ssl::bumpServerFirst
@ bumpServerFirst
Definition: support.h:126
Ssl::CertSignAlgorithm
CertSignAlgorithm
Definition: gadgets.h:166
AnyP
Definition: forward.h:15
Ipc
Definition: IpcIoFile.h:24
Security::ContextPointer
std::shared_ptr< SSL_CTX > ContextPointer
Definition: Context.h:29
Security::Connection
SSL Connection
Definition: Session.h:45
Security::ParsedPortFlags
long ParsedPortFlags
Definition: forward.h:202
Ssl
Definition: Xaction.cc:40
Ssl::GETX509PEM
SBuf GETX509PEM(X509 *)
Definition: support.h:106
Ssl::DisablePeerVerification
void DisablePeerVerification(Security::ContextPointer &)
Definition: support.cc:432
Ssl::InitClientContext
bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, Security::ParsedPortFlags)
initialize a TLS client context with OpenSSL specific settings
Definition: support.cc:710
Ssl::CertValidationResponsePointer
RefCount< CertValidationResponse > CertValidationResponsePointer
Definition: support.h:70
Ssl::SSL_add_untrusted_cert
void SSL_add_untrusted_cert(SSL *ssl, X509 *cert)
Ssl::VerifyConnCertificates
bool VerifyConnCertificates(Security::Connection &, const Ssl::X509_STACK_Pointer &extraCerts)
Definition: support.cc:441
Ssl::findIssuerCertificate
Security::CertPointer findIssuerCertificate(X509 *cert, const STACK_OF(X509) *serverCertificates, const Security::ContextPointer &context)
Definition: support.cc:1207
Ssl::missingChainCertificatesUrls
bool missingChainCertificatesUrls(std::queue< SBuf > &URIs, const STACK_OF(X509) &serverCertificates, const Security::ContextPointer &context)
Definition: support.cc:1233
Ssl::Initialize
void Initialize()
Definition: support.cc:651
Ssl::DefaultSignHash
const EVP_MD * DefaultSignHash
Definition: support.cc:44
Ssl::AskPasswordCb
int AskPasswordCb(char *buf, int size, int rwflag, void *userdata)
Definition: support.cc:64
Ssl::MaybeSetupRsaCallback
void MaybeSetupRsaCallback(Security::ContextPointer &)
if required, setup callback for generating ephemeral RSA keys
Definition: support.cc:171
Ssl::findIssuerUri
const char * findIssuerUri(X509 *cert)
finds certificate issuer URI in the Authority Info Access extension
Definition: support.cc:1090
Ssl::X509_STACK_Pointer
std::unique_ptr< STACK_OF(X509), sk_X509_free_wrapper > X509_STACK_Pointer
Definition: gadgets.h:50
Ssl::CertsIndexedList
std::multimap< SBuf, X509 * > CertsIndexedList
certificates indexed by issuer name
Definition: support.h:144
Ssl::ConfigurePeerVerification
void ConfigurePeerVerification(Security::ContextPointer &, const Security::ParsedPortFlags)
set the certificate verify callback for a context
Definition: support.cc:405
Ssl::InitServerContext
bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &)
initialize a TLS server context with OpenSSL specific settings
Definition: support.cc:701
STACK_OF
STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
Definition: openssl.h:237

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors