1 /** @file
2 
3   A brief file description
4 
5   @section license License
6 
7   Licensed to the Apache Software Foundation (ASF) under one
8   or more contributor license agreements.  See the NOTICE file
9   distributed with this work for additional information
10   regarding copyright ownership.  The ASF licenses this file
11   to you under the Apache License, Version 2.0 (the
12   "License"); you may not use this file except in compliance
13   with the License.  You may obtain a copy of the License at
14 
15       http://www.apache.org/licenses/LICENSE-2.0
16 
17   Unless required by applicable law or agreed to in writing, software
18   distributed under the License is distributed on an "AS IS" BASIS,
19   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20   See the License for the specific language governing permissions and
21   limitations under the License.
22  */
23 
24 /*************************** -*- Mod: C++ -*- ******************************
25   P_SSLConfig.h
26    Created On      : 07/20/2000
27 
28    Description:
29    SSL Configurations
30  ****************************************************************************/
31 #pragma once
32 
33 #include <openssl/rand.h>
34 
35 #include "tscore/ink_inet.h"
36 #include "tscore/IpMap.h"
37 
38 #include "ProxyConfig.h"
39 
40 #include "SSLSessionCache.h"
41 #include "YamlSNIConfig.h"
42 
43 #include "P_SSLUtils.h"
44 
45 struct SSLCertLookup;
46 struct ssl_ticket_key_block;
47 
48 /////////////////////////////////////////////////////////////
49 //
50 // struct SSLConfigParams
51 //
52 // configuration parameters as they appear in the global
53 // configuration file.
54 /////////////////////////////////////////////////////////////
55 
56 typedef void (*init_ssl_ctx_func)(void *, bool);
57 typedef void (*load_ssl_file_func)(const char *);
58 
59 struct SSLConfigParams : public ConfigInfo {
60   enum SSL_SESSION_CACHE_MODE {
61     SSL_SESSION_CACHE_MODE_OFF                 = 0,
62     SSL_SESSION_CACHE_MODE_SERVER_OPENSSL_IMPL = 1,
63     SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL     = 2
64   };
65 
66   SSLConfigParams();
67   ~SSLConfigParams() override;
68 
69   char *serverCertPathOnly;
70   char *serverCertChainFilename;
71   char *serverKeyPathOnly;
72   char *serverCACertFilename;
73   char *serverCACertPath;
74   char *configFilePath;
75   char *dhparamsFile;
76   char *cipherSuite;
77   char *client_cipherSuite;
78   int configExitOnLoadError;
79   int clientCertLevel;
80   int verify_depth;
81   int ssl_session_cache; // SSL_SESSION_CACHE_MODE
82   int ssl_session_cache_size;
83   int ssl_session_cache_num_buckets;
84   int ssl_session_cache_skip_on_contention;
85   int ssl_session_cache_timeout;
86   int ssl_session_cache_auto_clear;
87 
88   char *clientCertPath;
89   char *clientCertPathOnly;
90   char *clientKeyPath;
91   char *clientKeyPathOnly;
92   char *clientCACertFilename;
93   char *clientCACertPath;
94   YamlSNIConfig::Policy verifyServerPolicy;
95   YamlSNIConfig::Property verifyServerProperties;
96   bool tls_server_connection;
97   int client_verify_depth;
98   long ssl_ctx_options;
99   long ssl_client_ctx_options;
100 
101   char *server_tls13_cipher_suites;
102   char *client_tls13_cipher_suites;
103   char *server_groups_list;
104   char *client_groups_list;
105 
106   static uint32_t server_max_early_data;
107   static uint32_t server_recv_max_early_data;
108   static bool server_allow_early_data_params;
109 
110   static int ssl_maxrecord;
111   static int ssl_misc_max_iobuffer_size_index;
112   static bool ssl_allow_client_renegotiation;
113 
114   static bool ssl_ocsp_enabled;
115   static int ssl_ocsp_cache_timeout;
116   static int ssl_ocsp_request_timeout;
117   static int ssl_ocsp_update_period;
118   static int ssl_handshake_timeout_in;
119   char *ssl_ocsp_response_path_only;
120 
121   static size_t session_cache_number_buckets;
122   static size_t session_cache_max_bucket_size;
123   static bool session_cache_skip_on_lock_contention;
124 
125   static IpMap *proxy_protocol_ipmap;
126 
127   static init_ssl_ctx_func init_ssl_ctx_cb;
128   static load_ssl_file_func load_ssl_file_cb;
129 
130   static int async_handshake_enabled;
131   static char *engine_conf_file;
132 
133   shared_SSL_CTX client_ctx;
134 
135   // Client contexts are held by 2-level map:
136   // The first level maps from CA bundle file&path to next level map;
137   // The second level maps from cert&key to actual SSL_CTX;
138   // The second level map owns the client SSL_CTX objects and is responsible for cleaning them up
139   using CTX_MAP = std::unordered_map<std::string, shared_SSL_CTX>;
140   mutable std::unordered_map<std::string, CTX_MAP> top_level_ctx_map;
141   mutable ink_mutex ctxMapLock;
142 
143   shared_SSL_CTX getClientSSL_CTX() const;
144   shared_SSL_CTX getCTX(const char *client_cert, const char *key_file, const char *ca_bundle_file,
145                         const char *ca_bundle_path) const;
146 
147   void cleanupCTXTable();
148 
149   void initialize();
150   void cleanup();
151   void reset();
152   void SSLConfigInit(IpMap *global);
153 };
154 
155 /////////////////////////////////////////////////////////////
156 //
157 // class SSLConfig
158 //
159 /////////////////////////////////////////////////////////////
160 
161 struct SSLConfig {
162   static void startup();
163   static void reconfigure();
164   static SSLConfigParams *acquire();
165   static void release(SSLConfigParams *params);
166   typedef ConfigProcessor::scoped_config<SSLConfig, SSLConfigParams> scoped_config;
167 
168 private:
169   static int configid;
170 };
171 
172 struct SSLCertificateConfig {
173   static bool startup();
174   static bool reconfigure();
175   static SSLCertLookup *acquire();
176   static void release(SSLCertLookup *params);
177 
178   typedef ConfigProcessor::scoped_config<SSLCertificateConfig, SSLCertLookup> scoped_config;
179 
180 private:
181   static int configid;
182 };
183 
184 struct SSLTicketParams : public ConfigInfo {
185   ssl_ticket_key_block *default_global_keyblock = nullptr;
186   time_t load_time                              = 0;
187   char *ticket_key_filename;
188   bool LoadTicket(bool &nochange);
189   void LoadTicketData(char *ticket_data, int ticket_data_len);
190   void cleanup();
191 
~SSLTicketParamsSSLTicketParams192   ~SSLTicketParams() override { cleanup(); }
193 };
194 
195 struct SSLTicketKeyConfig {
196   static void startup();
197   static bool reconfigure();
198   static bool reconfigure_data(char *ticket_data, int ticket_data_len);
199 
200   static SSLTicketParams *
acquireSSLTicketKeyConfig201   acquire()
202   {
203     return static_cast<SSLTicketParams *>(configProcessor.get(configid));
204   }
205 
206   static void
releaseSSLTicketKeyConfig207   release(SSLTicketParams *params)
208   {
209     if (configid > 0) {
210       configProcessor.release(configid, params);
211     }
212   }
213 
214   typedef ConfigProcessor::scoped_config<SSLTicketKeyConfig, SSLTicketParams> scoped_config;
215 
216 private:
217   static int configid;
218 };
219 
220 extern SSLSessionCache *session_cache;
221