support.h

Go to the documentation of this file.

/*
 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */
 
/* DEBUG: section 83    SSL accelerator support */
 
#ifndef SQUID_SRC_SSL_SUPPORT_H
#define SQUID_SRC_SSL_SUPPORT_H
 
#if USE_OPENSSL
 
#include "anyp/forward.h"
#include "base/CbDataList.h"
#include "base/TypeTraits.h"
#include "comm/forward.h"
#include "compat/openssl.h"
#include "dns/forward.h"
#include "ip/Address.h"
#include "sbuf/SBuf.h"
#include "security/Session.h"
#include "ssl/gadgets.h"
 
#if HAVE_OPENSSL_X509V3_H
#include <openssl/x509v3.h>
#endif
#if HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
#endif
#if HAVE_OPENSSL_ENGINE_H
#include <openssl/engine.h>
#endif
#include <queue>
#include <map>
#include <optional>
#include <variant>
 
// Maximum certificate validation callbacks. OpenSSL versions exceeding this
// limit are deemed stuck in an infinite validation loop (OpenSSL bug #3090)
// and will trigger the SQUID_X509_V_ERR_INFINITE_VALIDATION error.
// Can be set to a number up to UINT32_MAX
#ifndef SQUID_CERT_VALIDATION_ITERATION_MAX
#define SQUID_CERT_VALIDATION_ITERATION_MAX 16384
#endif
 
namespace AnyP
{
class PortCfg;
};
 
namespace Ipc
{
class MemMap;
}
 
namespace Ssl
{
 
int AskPasswordCb(char *buf, int size, int rwflag, void *userdata);
 
void Initialize();
 
class CertValidationResponse;
typedef RefCount<CertValidationResponse> CertValidationResponsePointer;
 
bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &);
 
bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, Security::ParsedPortFlags);
 
void ConfigurePeerVerification(Security::ContextPointer &, const Security::ParsedPortFlags);
void DisablePeerVerification(Security::ContextPointer &);
 
void MaybeSetupRsaCallback(Security::ContextPointer &);
 
} //namespace Ssl
 
const char *sslGetUserEmail(SSL *ssl);
 
const char *sslGetUserAttribute(SSL *ssl, const char *attribute_name);
 
const char *sslGetCAAttribute(SSL *ssl, const char *attribute_name);
 
SBuf sslGetUserCertificatePEM(SSL *ssl);
 
SBuf sslGetUserCertificateChainPEM(SSL *ssl);
 
namespace Ssl
{
typedef char const *GETX509ATTRIBUTE(X509 *, const char *);
typedef SBuf GETX509PEM(X509 *);
 
GETX509ATTRIBUTE GetX509UserAttribute;
 
GETX509ATTRIBUTE GetX509CAAttribute;
 
GETX509PEM GetX509PEM;
 
GETX509ATTRIBUTE GetX509Fingerprint;
 
extern const EVP_MD *DefaultSignHash;
 
enum BumpMode {bumpNone = 0, bumpClientFirst, bumpServerFirst, bumpPeek, bumpStare, bumpBump, bumpSplice, bumpTerminate, /*bumpErr,*/ bumpEnd};
 
extern std::vector<const char *>BumpModeStr;
 
inline const char *bumpMode(int bm)
{
    return (0 <= bm && bm < Ssl::bumpEnd) ? Ssl::BumpModeStr.at(bm) : nullptr;
}
 
typedef std::multimap<SBuf, X509 *> CertsIndexedList;
 
using GeneralName = AnyP::Host;
 
bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list);
 
bool loadSquidUntrusted(const char *path);
 
void unloadSquidUntrusted();
 
void SSL_add_untrusted_cert(SSL *ssl, X509 *cert);
 
const char *findIssuerUri(X509 *cert);
 
Security::CertPointer findIssuerCertificate(X509 *cert, const STACK_OF(X509) *serverCertificates, const Security::ContextPointer &context);
 
bool missingChainCertificatesUrls(std::queue<SBuf> &URIs, const STACK_OF(X509) &serverCertificates, const Security::ContextPointer &context);
 
bool generateUntrustedCert(Security::CertPointer & untrustedCert, Security::PrivateKeyPointer & untrustedPkey, Security::CertPointer const & cert, Security::PrivateKeyPointer const & pkey);
 
typedef std::multimap<SBuf, X509 *> CertsIndexedList;
 
bool loadCerts(const char *certsFile, Ssl::CertsIndexedList &list);
 
bool loadSquidUntrusted(const char *path);
 
void unloadSquidUntrusted();
 
Security::ContextPointer GenerateSslContext(CertificateProperties const &, Security::ServerOptions &, bool trusted);
 
bool verifySslCertificate(const Security::ContextPointer &, CertificateProperties const &);
 
Security::ContextPointer GenerateSslContextUsingPkeyAndCertFromMemory(const char * data, Security::ServerOptions &, bool trusted);
 
Security::ContextPointer createSSLContext(Security::CertPointer & x509, Security::PrivateKeyPointer & pkey, Security::ServerOptions &);
 
void chainCertificatesToSSLContext(Security::ContextPointer &, Security::ServerOptions &);
 
void configureUnconfiguredSslContext(Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &);
 
bool configureSSL(SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port);
 
bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::PortCfg &port);
 
void useSquidUntrusted(SSL_CTX *sslContext);
 
class GeneralNameMatcher: public Interface
{
public:
    bool match(const Ssl::GeneralName &) const;
 
protected:
    // The methods below implement public match() API for each of the
    // GeneralName variants. For each public match() method call, exactly one of
    // these methods is called.
 
    virtual bool matchDomainName(const Dns::DomainName &) const = 0;
    virtual bool matchIp(const Ip::Address &) const = 0;
};
 
bool HasMatchingSubjectName(X509 &, const GeneralNameMatcher &);
 
bool HasSubjectName(X509 &, const AnyP::Host &);
 
int asn1timeToString(ASN1_TIME *tm, char *buf, int len);
 
void setClientSNI(SSL *ssl, const char *fqdn);
 
void InRamCertificateDbKey(const Ssl::CertificateProperties &certProperties, SBuf &key);
 
BIO *BIO_new_SBuf(SBuf *buf);
 
bool VerifyConnCertificates(Security::Connection &, const Ssl::X509_STACK_Pointer &extraCerts);
 
// TODO: Move other ssl_ex_index_* validation-related information here.
class VerifyCallbackParameters {
public:
    static VerifyCallbackParameters *New(Security::Connection &);
 
    static VerifyCallbackParameters &At(Security::Connection &);
 
    static VerifyCallbackParameters *Find(Security::Connection &);
 
    /* input parameters */
 
    bool callerHandlesMissingCertificates = false;
 
    /* output parameters */
 
    bool hidMissingIssuer = false;
};
 
} //namespace Ssl
 
#if _SQUID_WINDOWS_
 
#if defined(__cplusplus)
 
namespace Squid
{
inline
int SSL_set_fd(SSL *ssl, int fd)
{
    return ::SSL_set_fd(ssl, _get_osfhandle(fd));
}
 
#define SSL_set_fd(ssl,fd) Squid::SSL_set_fd(ssl,fd)
 
} /* namespace Squid */
 
#else
 
#define SSL_set_fd(s,f) (SSL_set_fd(s, _get_osfhandle(f)))
 
#endif /* __cplusplus */
 
#endif /* _SQUID_WINDOWS_ */
 
#endif /* USE_OPENSSL */
#endif /* SQUID_SRC_SSL_SUPPORT_H */