Security Namespace Reference

Network/connection security abstraction layer.




class  Alert
 TLS Alert protocol frame from RFC 5246 Section 7.2. More...
class  BlindPeerConnector
 A simple PeerConnector for SSL/TLS cache_peers. No SslBump capabilities. More...
class  CertError
class  EncryptorAnswer
class  Extension
 TLS Hello Extension from RFC 5246 Section More...
class  Handshake
 TLS Handshake Protocol frame from RFC 5246 Section 7.4. More...
class  HandshakeParser
 Incremental TLS/SSL Handshake parser. More...
class  KeyData
 TLS certificate and private key details from squid.conf. More...
class  LockingPointer
class  NegotiationHistory
class  PeerConnector
class  PeerOptions
 TLS squid.conf settings for a remote server peer. More...
class  ServerOptions
 TLS squid.conf settings for a listening port. More...
class  Sslv2Record
 draft-hickman-netscape-ssl-00. Section 4.1. SSL Record Header Format More...
class  TlsDetails
class  TLSPlaintext
 TLS Record Layer's frame from RFC 5246 Section 6.2.1. More...


typedef std::shared_ptr< SSL_CTX > ContextPointer
typedef CbDataList< Security::CertErrorCertErrors
 Holds a list of X.509 certificate errors. More...
typedef Security::LockingPointer< X509, X509_free_cpp, HardFun< int, X509 *, X509_up_ref > > CertPointer
typedef Security::LockingPointer< X509_CRL, X509_CRL_free_cpp, HardFun< int, X509_CRL *, X509_CRL_up_ref > > CrlPointer
typedef std::list< Security::CertPointerCertList
typedef std::list< Security::CrlPointerCertRevokeList
typedef Security::LockingPointer< DH, DH_free_cpp, HardFun< int, DH *, DH_up_ref > > DhePointer
typedef int ErrorCode
 Squid defined error code (<0), an error code returned by X.509 API, or SSL_ERROR_NONE. More...
typedef std::unordered_set< Security::ErrorCodeErrors
typedef long ParsedOptions
typedef long ParsedPortFlags
typedef std::unordered_set< Extension::TypeExtensions
 Extension types optimized for fast lookups. More...
typedef HardFun< bool, const void *, nilFunctionNilFunctor
typedef std::shared_ptr< SSL > SessionPointer
typedef std::unique_ptr< SSL_SESSION, HardFun< void, SSL_SESSION *, &SSL_SESSION_free > > SessionStatePointer


enum  ContentType {
  ctChangeCipherSpec = 20,
  ctAlert = 21,
  ctHandshake = 22,
  ctApplicationData = 23
 TLS Record Layer's content types from RFC 5246 Section 6.2.1. More...
enum  HandshakeType {
  hskClientHello = 1,
  hskServerHello = 2,
  hskCertificate = 11,
  hskServerHelloDone = 14
 TLS Handshake protocol's handshake types from RFC 5246 Section 7.4. More...


std::ostream & operator<< (std::ostream &, const Security::EncryptorAnswer &)
 CtoCpp1 (X509_free, X509 *)
 CtoCpp1 (X509_CRL_free, X509_CRL *)
 CtoCpp1 (DH_free, DH *)
const char * ErrorString (const ErrorCode code)
static Extensions SupportedExtensions ()
 A helper function to create a set of all supported TLS extensions. More...
static AnyP::ProtocolVersion ParseProtocolVersionBase (Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict)
static AnyP::ProtocolVersion ParseProtocolVersion (Parser::BinaryTokenizer &tk)
static AnyP::ProtocolVersion ParseOptionalProtocolVersion (Parser::BinaryTokenizer &tk, const char *contextLabel)
std::ostream & operator<< (std::ostream &os, Security::TlsDetails const &details)
bool TlsFamilyProtocol (const AnyP::ProtocolVersion &version)
 whether the given protocol belongs to the TLS/SSL group of protocols More...
bool TlsVersionEarlierThan (const AnyP::ProtocolVersion &a, const AnyP::ProtocolVersion &b)
 whether TLS/SSL protocol a precedes TLS/SSL protocol b More...
bool Tls1p2orEarlier (const AnyP::ProtocolVersion &p)
 whether the given TLS/SSL protocol is TLS v1.2 or earlier, including SSL More...
bool Tls1p3orLater (const AnyP::ProtocolVersion &p)
 whether the given TLS/SSL protocol is TLS v1.3 or later More...
bool nilFunction (const void *)
bool CreateClientSession (const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx)
bool CreateServerSession (const Security::ContextPointer &, const Comm::ConnectionPointer &, Security::PeerOptions &, const char *squidCtx)
void SessionSendGoodbye (const Security::SessionPointer &)
 send the shutdown/bye notice for an active TLS session. More...
bool SessionIsResumed (const Security::SessionPointer &)
 whether the session is a resumed one More...
void MaybeGetSessionResumeData (const Security::SessionPointer &, Security::SessionStatePointer &data)
void SetSessionResumeData (const Security::SessionPointer &, const Security::SessionStatePointer &)
void SetSessionCacheCallbacks (Security::ContextPointer &)
 Setup the given TLS context with callbacks used to manage the session cache. More...
Security::ContextPointer GetFrom (Security::SessionPointer &s)
 Helper function to retrieve a (non-locked) ContextPointer from a SessionPointer. More...
Security::SessionPointer NewSessionObject (const Security::ContextPointer &)


static const uint64_t HelloRandomSize = 32
 The size of the TLS Random structure from RFC 5246 Section More...
PeerOptions ProxyOutgoingConfig
 configuration options for DIRECT server access More...

Typedef Documentation

◆ CertErrors

Definition at line 58 of file forward.h.

◆ CertList

Definition at line 81 of file forward.h.

◆ CertPointer

typedef Security::LockingPointer<X509, X509_free_cpp, HardFun<int, X509 *, X509_up_ref> > Security::CertPointer

Definition at line 64 of file forward.h.

◆ CertRevokeList

Definition at line 83 of file forward.h.

◆ ContextPointer

typedef std::shared_ptr<SSL_CTX> Security::ContextPointer

Definition at line 29 of file Context.h.

◆ CrlPointer

typedef Security::LockingPointer<X509_CRL, X509_CRL_free_cpp, HardFun<int, X509_CRL *, X509_CRL_up_ref> > Security::CrlPointer

Definition at line 73 of file forward.h.

◆ DhePointer

typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > Security::DhePointer

Definition at line 87 of file forward.h.

◆ ErrorCode

Definition at line 92 of file forward.h.

◆ Errors

typedef std::unordered_set<Security::ErrorCode> Security::Errors

set of Squid defined TLS error codes

using std::unordered_set ensures values are unique, with fast lookup

Definition at line 109 of file forward.h.

◆ Extensions

typedef std::unordered_set<Extension::Type> Security::Extensions

Definition at line 105 of file

◆ NilFunctor

typedef HardFun<bool, const void *, nilFunction> Security::NilFunctor

Definition at line 41 of file LockingPointer.h.

◆ ParsedOptions

Definition at line 130 of file forward.h.

◆ ParsedPortFlags

bitmask representing configured http(s)_port sslflags as well tls_outgoing_options flags, cache_peer sslflags, and icap_service tls-flags

Definition at line 143 of file forward.h.

◆ SessionPointer

typedef std::shared_ptr<SSL> Security::SessionPointer

Definition at line 44 of file Session.h.

◆ SessionStatePointer

typedef std::unique_ptr<SSL_SESSION, HardFun<void, SSL_SESSION*, &SSL_SESSION_free> > Security::SessionStatePointer

Definition at line 46 of file Session.h.

Enumeration Type Documentation

◆ ContentType


Definition at line 29 of file

◆ HandshakeType


Definition at line 57 of file

Function Documentation

◆ CreateClientSession()

bool Security::CreateClientSession ( const Security::ContextPointer ctx,
const Comm::ConnectionPointer c,
const char *  squidCtx 

Creates TLS Client connection structure (aka 'session' state) and initializes TLS/SSL I/O (Comm and BIO). On errors, emits DBG_IMPORTANT with details and returns false.

Definition at line 184 of file

References Security::Io::BIO_TO_SERVER, CreateSession(), Comm::Connection::getPeer(), and ProxyOutgoingConfig.

Referenced by Security::PeerConnector::initialize().

◆ CreateServerSession()

bool Security::CreateServerSession ( const Security::ContextPointer ctx,
const Comm::ConnectionPointer c,
Security::PeerOptions o,
const char *  squidCtx 

Creates TLS Server connection structure (aka 'session' state) and initializes TLS/SSL I/O (Comm and BIO). On errors, emits DBG_IMPORTANT with details and returns false.

Definition at line 194 of file

References Security::Io::BIO_TO_CLIENT, and CreateSession().

Referenced by httpsCreate().

◆ CtoCpp1() [1/3]

Security::CtoCpp1 ( DH_free  ,
DH *   

◆ CtoCpp1() [2/3]

Security::CtoCpp1 ( X509_CRL_free  ,
X509_CRL *   

◆ CtoCpp1() [3/3]

Security::CtoCpp1 ( X509_free  ,
X509 *   

◆ ErrorString()

◆ GetFrom()

Security::ContextPointer Security::GetFrom ( Security::SessionPointer s)

◆ MaybeGetSessionResumeData()

void Security::MaybeGetSessionResumeData ( const Security::SessionPointer s,
Security::SessionStatePointer data 

When the session is not a resumed session, retrieve the details needed to resume a later connection and store them in 'data'. This may result in 'data' becoming a nil Pointer if no details exist or an error occurs.

When the session is already a resumed session, do nothing and leave 'data' unhanged. XXX: is this latter behaviour always correct?

Definition at line 226 of file

References data, debugs, ErrorString(), and SessionIsResumed().

Referenced by Security::BlindPeerConnector::noteNegotiationDone(), and Ssl::IcapPeerConnector::noteNegotiationDone().

◆ NewSessionObject()

Security::SessionPointer Security::NewSessionObject ( const Security::ContextPointer ctx)
use the PeerOptions/ServerOptions API methods instead. Wraps SessionPointer value creation to reduce risk of a nasty hack in ssl/

Definition at line 97 of file

References debugs.

Referenced by CreateSession(), and Ssl::verifySslCertificate().

◆ nilFunction()

bool Security::nilFunction ( const void *  )

Definition at line 40 of file LockingPointer.h.

◆ operator<<() [1/2]

std::ostream & Security::operator<< ( std::ostream &  os,
const Security::EncryptorAnswer answer 

◆ operator<<() [2/2]

std::ostream& Security::operator<< ( std::ostream &  os,
Security::TlsDetails const &  details 

Definition at line 54 of file Handshake.h.

References Security::TlsDetails::print().

◆ ParseOptionalProtocolVersion()

static AnyP::ProtocolVersion Security::ParseOptionalProtocolVersion ( Parser::BinaryTokenizer tk,
const char *  contextLabel 

parse a framing-unrelated TLS ProtocolVersion

Return values
PROTO_NONEfor unsupported values

Definition at line 147 of file

References ParseProtocolVersionBase().

Referenced by Security::HandshakeParser::parseSupportedVersionsExtension().

◆ ParseProtocolVersion()

static AnyP::ProtocolVersion Security::ParseProtocolVersion ( Parser::BinaryTokenizer tk)

parse a framing-related TLS ProtocolVersion

a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE

Definition at line 139 of file

References ParseProtocolVersionBase().

Referenced by Security::HandshakeParser::parseClientHelloHandshakeMessage(), Security::HandshakeParser::parseServerHelloHandshakeMessage(), Security::HandshakeParser::parseVersion2HandshakeMessage(), and Security::TLSPlaintext::TLSPlaintext().

◆ ParseProtocolVersionBase()

static AnyP::ProtocolVersion Security::ParseProtocolVersionBase ( Parser::BinaryTokenizer tk,
const char *  contextLabel,
const bool  beStrict 

parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion

Return values
PROTO_NONEfor unsupported values (in relaxed mode)

Definition at line 111 of file

References asHex(), debugs, Here, AnyP::PROTO_SSL, AnyP::PROTO_TLS, Ftp::ProtocolVersion(), ToSBuf(), and Parser::BinaryTokenizer::uint8().

Referenced by ParseOptionalProtocolVersion(), and ParseProtocolVersion().

◆ SessionIsResumed()

bool Security::SessionIsResumed ( const Security::SessionPointer s)

Definition at line 213 of file

References debugs.

Referenced by clientNegotiateSSL(), and MaybeGetSessionResumeData().

◆ SessionSendGoodbye()

void Security::SessionSendGoodbye ( const Security::SessionPointer s)

Definition at line 200 of file

References debugs.

Referenced by commStartTlsClose().

◆ SetSessionCacheCallbacks()

void Security::SetSessionCacheCallbacks ( Security::ContextPointer ctx)

◆ SetSessionResumeData()

void Security::SetSessionResumeData ( const Security::SessionPointer s,
const Security::SessionStatePointer data 

Set the data for resuming a previous session. Needs to be done before using the SessionPointer for a handshake.

Definition at line 247 of file

References data, DBG_CRITICAL, debugs, and ErrorString().

Referenced by Security::BlindPeerConnector::initialize(), and Ssl::IcapPeerConnector::initialize().

◆ SupportedExtensions()

static Security::Extensions Security::SupportedExtensions ( )

Definition at line 711 of file

Referenced by Security::Extension::supported().

◆ Tls1p2orEarlier()

bool Security::Tls1p2orEarlier ( const AnyP::ProtocolVersion p)

◆ Tls1p3orLater()

◆ TlsFamilyProtocol()

bool Security::TlsFamilyProtocol ( const AnyP::ProtocolVersion version)

◆ TlsVersionEarlierThan()

bool Security::TlsVersionEarlierThan ( const AnyP::ProtocolVersion a,
const AnyP::ProtocolVersion b 

Variable Documentation

◆ HelloRandomSize

const uint64_t Security::HelloRandomSize = 32

◆ ProxyOutgoingConfig

Security::PeerOptions Security::ProxyOutgoingConfig






Web Site Translations