support.h
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 83 SSL accelerator support */
10 
11 #ifndef SQUID_SRC_SSL_SUPPORT_H
12 #define SQUID_SRC_SSL_SUPPORT_H
13 
14 #if USE_OPENSSL
15 
16 #include "anyp/forward.h"
17 #include "base/CbDataList.h"
18 #include "base/TypeTraits.h"
19 #include "comm/forward.h"
20 #include "compat/openssl.h"
21 #include "dns/forward.h"
22 #include "ip/Address.h"
23 #include "sbuf/SBuf.h"
24 #include "security/Session.h"
25 #include "ssl/gadgets.h"
26 
27 #if HAVE_OPENSSL_X509V3_H
28 #include <openssl/x509v3.h>
29 #endif
30 #if HAVE_OPENSSL_ERR_H
31 #include <openssl/err.h>
32 #endif
33 #if HAVE_OPENSSL_ENGINE_H
34 #include <openssl/engine.h>
35 #endif
36 #include <queue>
37 #include <map>
38 #include <optional>
39 #include <variant>
40 
46 // Maximum certificate validation callbacks. OpenSSL versions exceeding this
47 // limit are deemed stuck in an infinite validation loop (OpenSSL bug #3090)
48 // and will trigger the SQUID_X509_V_ERR_INFINITE_VALIDATION error.
49 // Can be set to a number up to UINT32_MAX
50 #ifndef SQUID_CERT_VALIDATION_ITERATION_MAX
51 #define SQUID_CERT_VALIDATION_ITERATION_MAX 16384
52 #endif
53 
54 namespace AnyP
55 {
56 class PortCfg;
57 };
58 
59 namespace Ipc
60 {
61 class MemMap;
62 }
63 
64 namespace Ssl
65 {
66 
69 int AskPasswordCb(char *buf, int size, int rwflag, void *userdata);
70 
73 void Initialize();
74 
75 class CertValidationResponse;
76 typedef RefCount<CertValidationResponse> CertValidationResponsePointer;
77 
79 bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &);
80 
82 bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, Security::ParsedPortFlags);
83 
85 void ConfigurePeerVerification(Security::ContextPointer &, const Security::ParsedPortFlags);
86 void DisablePeerVerification(Security::ContextPointer &);
87 
89 void MaybeSetupRsaCallback(Security::ContextPointer &);
90 
91 } //namespace Ssl
92 
94 const char *sslGetUserEmail(SSL *ssl);
95 
97 const char *sslGetUserAttribute(SSL *ssl, const char *attribute_name);
98 
100 const char *sslGetCAAttribute(SSL *ssl, const char *attribute_name);
101 
103 SBuf sslGetUserCertificatePEM(SSL *ssl);
104 
106 SBuf sslGetUserCertificateChainPEM(SSL *ssl);
107 
108 namespace Ssl
109 {
111 typedef char const *GETX509ATTRIBUTE(X509 *, const char *);
112 typedef SBuf GETX509PEM(X509 *);
113 
115 GETX509ATTRIBUTE GetX509UserAttribute;
116 
118 GETX509ATTRIBUTE GetX509CAAttribute;
119 
121 GETX509PEM GetX509PEM;
122 
124 GETX509ATTRIBUTE GetX509Fingerprint;
125 
126 extern const EVP_MD *DefaultSignHash;
127 
132 enum BumpMode {bumpNone = 0, bumpClientFirst, bumpServerFirst, bumpPeek, bumpStare, bumpBump, bumpSplice, bumpTerminate, /*bumpErr,*/ bumpEnd};
133 
138 extern std::vector<const char *>BumpModeStr;
139 
144 inline const char *bumpMode(int bm)
145 {
146  return (0 <= bm && bm < Ssl::bumpEnd) ? Ssl::BumpModeStr.at(bm) : nullptr;
147 }
148 
150 typedef std::multimap<SBuf, X509 *> CertsIndexedList;
151 
165 using GeneralName = AnyP::Host;
166 
170 bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list);
171 
176 bool loadSquidUntrusted(const char *path);
177 
182 void unloadSquidUntrusted();
183 
190 void SSL_add_untrusted_cert(SSL *ssl, X509 *cert);
191 
193 const char *findIssuerUri(X509 *cert);
194 
198 Security::CertPointer findIssuerCertificate(X509 *cert, const STACK_OF(X509) *serverCertificates, const Security::ContextPointer &context);
199 
205 bool missingChainCertificatesUrls(std::queue<SBuf> &URIs, const STACK_OF(X509) &serverCertificates, const Security::ContextPointer &context);
206 
211 bool generateUntrustedCert(Security::CertPointer & untrustedCert, Security::PrivateKeyPointer & untrustedPkey, Security::CertPointer const & cert, Security::PrivateKeyPointer const & pkey);
212 
214 typedef std::multimap<SBuf, X509 *> CertsIndexedList;
215 
220 bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list);
221 
227 bool loadSquidUntrusted(const char *path);
228 
234 void unloadSquidUntrusted();
235 
240 Security::ContextPointer GenerateSslContext(CertificateProperties const &, Security::ServerOptions &, bool trusted);
241 
249 bool verifySslCertificate(const Security::ContextPointer &, CertificateProperties const &);
250 
256 Security::ContextPointer GenerateSslContextUsingPkeyAndCertFromMemory(const char * data, Security::ServerOptions &, bool trusted);
257 
262 Security::ContextPointer createSSLContext(Security::CertPointer & x509, Security::PrivateKeyPointer & pkey, Security::ServerOptions &);
263 
268 void chainCertificatesToSSLContext(Security::ContextPointer &, Security::ServerOptions &);
269 
274 void configureUnconfiguredSslContext(Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &);
275 
281 bool configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port);
282 
288 bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port);
289 
295 void useSquidUntrusted(SSL_CTX *sslContext);
296 
298 class GeneralNameMatcher: public Interface
299 {
300 public:
302  bool match(const Ssl::GeneralName &) const;
303 
304 protected:
305  // The methods below implement public match() API for each of the
306  // GeneralName variants. For each public match() method call, exactly one of
307  // these methods is called.
308 
309  virtual bool matchDomainName(const Dns::DomainName &) const = 0;
310  virtual bool matchIp(const Ip::Address &) const = 0;
311 };
312 
315 bool HasMatchingSubjectName(X509 &, const GeneralNameMatcher &);
316 
318 bool HasSubjectName(X509 &, const AnyP::Host &);
319 
328 int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
329 
335 void setClientSNI(SSL *ssl, const char *fqdn);
336 
341 void InRamCertificateDbKey(const Ssl::CertificateProperties &certProperties, SBuf &key);
342 
348 BIO *BIO_new_SBuf(SBuf *buf);
349 
356 bool VerifyConnCertificates(Security::Connection &, const Ssl::X509_STACK_Pointer &extraCerts);
357 
358 // TODO: Move other ssl_ex_index_* validation-related information here.
363 class VerifyCallbackParameters {
364 public:
367  static VerifyCallbackParameters *New(Security::Connection &);
368 
370  static VerifyCallbackParameters &At(Security::Connection &);
371 
373  static VerifyCallbackParameters *Find(Security::Connection &);
374 
375  /* input parameters */
376 
380  bool callerHandlesMissingCertificates = false;
381 
382  /* output parameters */
383 
388  bool hidMissingIssuer = false;
389 };
390 
391 } //namespace Ssl
392 
393 #if _SQUID_WINDOWS_
394 
395 #if defined(__cplusplus)
396 
398 namespace Squid
399 {
402 inline
404 int SSL_set_fd(SSL *ssl, int fd)
405 {
406  return ::SSL_set_fd(ssl, _get_osfhandle(fd));
407 }
408 
410 #define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
411 
412 } /* namespace Squid */
413 
414 #else
415 
417 #define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
418 
419 #endif /* __cplusplus */
420 
421 #endif /* _SQUID_WINDOWS_ */
422 
423 #endif /* USE_OPENSSL */
424 #endif /* SQUID_SRC_SSL_SUPPORT_H */
425 
sslGetCAAttribute
const char * sslGetCAAttribute(SSL *ssl, const char *attribute_name)
Definition: support.cc:962
Ssl::bumpPeek
@ bumpPeek
Definition: support.h:132
Ssl::InitClientContext
bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, Security::ParsedPortFlags)
initialize a TLS client context with OpenSSL specific settings
Definition: support.cc:801
Ssl::asn1timeToString
int asn1timeToString(ASN1_TIME *tm, char *buf, int len)
Definition: support.cc:243
Ssl::HasMatchingSubjectName
bool HasMatchingSubjectName(X509 &, const GeneralNameMatcher &)
Definition: support.cc:302
Ssl::Initialize
void Initialize()
Definition: support.cc:742
Ssl::InRamCertificateDbKey
void InRamCertificateDbKey(const Ssl::CertificateProperties &certProperties, SBuf &key)
Definition: support.cc:1481
Ssl::CertSignAlgorithm
CertSignAlgorithm
Definition: gadgets.h:169
Ssl::missingChainCertificatesUrls
bool missingChainCertificatesUrls(std::queue< SBuf > &URIs, const STACK_OF(X509) &serverCertificates, const Security::ContextPointer &context)
Definition: support.cc:1324
Ssl::generateUntrustedCert
bool generateUntrustedCert(Security::CertPointer &untrustedCert, Security::PrivateKeyPointer &untrustedPkey, Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey)
Definition: support.cc:1458
Security::ContextPointer
std::shared_ptr< SSL_CTX > ContextPointer
Definition: Context.h:29
Ssl::MaybeSetupRsaCallback
void MaybeSetupRsaCallback(Security::ContextPointer &)
if required, setup callback for generating ephemeral RSA keys
Definition: support.cc:233
Ssl::useSquidUntrusted
void useSquidUntrusted(SSL_CTX *sslContext)
Definition: support.cc:1436
Ssl::VerifyCallbackParameters::Find
static VerifyCallbackParameters * Find(Security::Connection &)
Definition: support.cc:624
Ssl::InitServerContext
bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &)
initialize a TLS server context with OpenSSL specific settings
Definition: support.cc:792
Ssl::GetX509Fingerprint
GETX509ATTRIBUTE GetX509Fingerprint
Definition: support.h:124
Ssl::createSSLContext
Security::ContextPointer createSSLContext(Security::CertPointer &x509, Security::PrivateKeyPointer &pkey, Security::ServerOptions &)
Create SSL context and apply ssl certificate and private key to it.
Definition: support.cc:1016
Ssl::SSL_add_untrusted_cert
void SSL_add_untrusted_cert(SSL *ssl, X509 *cert)
SBuf
Definition: SBuf.h:93
Ssl::X509_STACK_Pointer
std::unique_ptr< STACK_OF(X509), sk_X509_free_wrapper > X509_STACK_Pointer
Definition: gadgets.h:53
Ssl::BumpMode
BumpMode
Definition: support.h:132
Ssl::GetX509PEM
GETX509PEM GetX509PEM
Definition: support.h:121
Ssl::VerifyCallbackParameters::At
static VerifyCallbackParameters & At(Security::Connection &)
Definition: support.cc:642
Ssl::bumpTerminate
@ bumpTerminate
Definition: support.h:132
Ssl::GetX509CAAttribute
GETX509ATTRIBUTE GetX509CAAttribute
Definition: support.h:118
Ssl::bumpEnd
@ bumpEnd
Definition: support.h:132
Ssl::VerifyCallbackParameters::New
static VerifyCallbackParameters * New(Security::Connection &)
Definition: support.cc:630
sslGetUserEmail
const char * sslGetUserEmail(SSL *ssl)
Definition: support.cc:976
Ssl::GeneralNameMatcher::matchDomainName
virtual bool matchDomainName(const Dns::DomainName &) const =0
Ssl::BIO_new_SBuf
BIO * BIO_new_SBuf(SBuf *buf)
Definition: support.cc:1558
port
static int port
Definition: ldap_backend.cc:70
TypeTraits_::Interface
convenience base for any class with pure virtual method(s)
Definition: TypeTraits.h:18
Ssl::bumpServerFirst
@ bumpServerFirst
Definition: support.h:132
size
int size
Definition: ModDevPoll.cc:69
Ssl::findIssuerCertificate
Security::CertPointer findIssuerCertificate(X509 *cert, const STACK_OF(X509) *serverCertificates, const Security::ContextPointer &context)
Definition: support.cc:1298
Ssl::DefaultSignHash
const EVP_MD * DefaultSignHash
Definition: support.cc:46
AnyP
Definition: forward.h:14
Ssl::VerifyConnCertificates
bool VerifyConnCertificates(Security::Connection &, const Ssl::X509_STACK_Pointer &extraCerts)
Definition: support.cc:532
Security::PeerOptions
TLS squid.conf settings for a remote server peer.
Definition: PeerOptions.h:25
Ssl::configureUnconfiguredSslContext
void configureUnconfiguredSslContext(Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &)
Definition: support.cc:1086
Ssl::GeneralNameMatcher::match
bool match(const Ssl::GeneralName &) const
whether the given name satisfies algorithm conditions
Definition: support.cc:79
Ssl
Definition: Xaction.cc:39
Security::ParsedPortFlags
long ParsedPortFlags
Definition: forward.h:204
Ssl::GeneralNameMatcher::matchIp
virtual bool matchIp(const Ip::Address &) const =0
Ssl::findIssuerUri
const char * findIssuerUri(X509 *cert)
finds certificate issuer URI in the Authority Info Access extension
Definition: support.cc:1181
AnyP::Host
either a domain name (as defined in DNS RFC 1034) or an IP address
Definition: Host.h:24
Security::Connection
SSL Connection
Definition: Session.h:49
Ssl::GenerateSslContextUsingPkeyAndCertFromMemory
Security::ContextPointer GenerateSslContextUsingPkeyAndCertFromMemory(const char *data, Security::ServerOptions &, bool trusted)
Definition: support.cc:1033
Ssl::CertsIndexedList
std::multimap< SBuf, X509 * > CertsIndexedList
certificates indexed by issuer name
Definition: support.h:150
sslGetUserCertificateChainPEM
SBuf sslGetUserCertificateChainPEM(SSL *ssl)
Definition: support.cc:993
Ssl::GenerateSslContext
Security::ContextPointer GenerateSslContext(CertificateProperties const &, Security::ServerOptions &, bool trusted)
Definition: support.cc:1047
sslGetUserAttribute
const char * sslGetUserAttribute(SSL *ssl, const char *attribute_name)
Definition: support.cc:949
Ssl::unloadSquidUntrusted
void unloadSquidUntrusted()
Definition: support.cc:1448
Ssl::bumpStare
@ bumpStare
Definition: support.h:132
Ssl::BumpModeStr
std::vector< const char * > BumpModeStr
Definition: support.cc:48
Security::ServerOptions
TLS squid.conf settings for a listening port.
Definition: ServerOptions.h:25
Ssl::chainCertificatesToSSLContext
void chainCertificatesToSSLContext(Security::ContextPointer &, Security::ServerOptions &)
Definition: support.cc:1061
Ssl::GeneralNameMatcher
an algorithm for checking/testing/comparing X.509 certificate names
Definition: support.h:298
Ssl::DisablePeerVerification
void DisablePeerVerification(Security::ContextPointer &)
Definition: support.cc:523
Ssl::AskPasswordCb
int AskPasswordCb(char *buf, int size, int rwflag, void *userdata)
Definition: support.cc:126
Ssl::bumpNone
@ bumpNone
Definition: support.h:132
Ssl::GETX509PEM
SBuf GETX509PEM(X509 *)
Definition: support.h:112
Ssl::configureSSLUsingPkeyAndCertFromMemory
bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port)
Definition: support.cc:1116
Ssl::verifySslCertificate
bool verifySslCertificate(const Security::ContextPointer &, CertificateProperties const &)
Definition: support.cc:1136
Ssl::GetX509UserAttribute
GETX509ATTRIBUTE GetX509UserAttribute
Definition: support.h:115
Ssl::bumpBump
@ bumpBump
Definition: support.h:132
Ssl::HasSubjectName
bool HasSubjectName(X509 &, const AnyP::Host &)
whether at least one common or alternate subject name matches the given one
Definition: support.cc:333
Ssl::GETX509ATTRIBUTE
const char * GETX509ATTRIBUTE(X509 *, const char *)
Definition: support.h:111
Ssl::ConfigurePeerVerification
void ConfigurePeerVerification(Security::ContextPointer &, const Security::ParsedPortFlags)
set the certificate verify callback for a context
Definition: support.cc:496
Ssl::loadCerts
bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list)
Definition: support.cc:1211
STACK_OF
STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
Definition: openssl.h:237
Ssl::bumpClientFirst
@ bumpClientFirst
Definition: support.h:132
Ssl::configureSSL
bool configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port)
Definition: support.cc:1093
Ssl::bumpMode
const char * bumpMode(int bm)
Definition: support.h:144
Ssl::loadSquidUntrusted
bool loadSquidUntrusted(const char *path)
Definition: support.cc:1442
sslGetUserCertificatePEM
SBuf sslGetUserCertificatePEM(SSL *ssl)
Definition: support.cc:982
Ssl::CertValidationResponsePointer
RefCount< CertValidationResponse > CertValidationResponsePointer
Definition: support.h:75
Ssl::setClientSNI
void setClientSNI(SSL *ssl, const char *fqdn)
Definition: support.cc:1161
Ipc
Definition: IpcIoFile.h:23
Ssl::bumpSplice
@ bumpSplice
Definition: support.h:132

 

Introduction

Documentation

Support

Miscellaneous