Security Namespace Reference

Network/connection security abstraction layer.




class  Alert
 TLS Alert protocol frame from RFC 5246 Section 7.2. More...
class  BlindPeerConnector
 A simple PeerConnector for SSL/TLS cache_peers. No SslBump capabilities. More...
class  CertError
class  EncryptorAnswer
class  ErrorDetail
class  Extension
 TLS Hello Extension from RFC 5246 Section More...
class  Handshake
 TLS Handshake Protocol frame from RFC 5246 Section 7.4. More...
class  HandshakeParser
 Incremental TLS/SSL Handshake parser. More...
class  IoResult
 a summary a TLS I/O operation outcome More...
class  KeyData
 TLS certificate and private key details from squid.conf. More...
class  LockingPointer
class  NegotiationHistory
class  PeerConnector
class  PeerOptions
 TLS squid.conf settings for a remote server peer. More...
class  ServerOptions
 TLS squid.conf settings for a listening port. More...
class  Sslv2Record
 draft-hickman-netscape-ssl-00. Section 4.1. SSL Record Header Format More...
class  TlsDetails
class  TLSPlaintext
 TLS Record Layer's frame from RFC 5246 Section 6.2.1. More...


typedef std::shared_ptr< SSL_CTX > ContextPointer
typedef std::map< ErrorCode, const char * > ErrorCodeNames
typedef CbDataList< Security::CertErrorCertErrors
 Holds a list of X.509 certificate errors. More...
typedef X509 Certificate
typedef Security::LockingPointer< X509, X509_free_cpp, HardFun< int, X509 *, X509_up_ref > > CertPointer
typedef Security::LockingPointer< X509_CRL, X509_CRL_free_cpp, HardFun< int, X509_CRL *, X509_CRL_up_ref > > CrlPointer
typedef std::list< Security::CertPointerCertList
typedef std::list< Security::CrlPointerCertRevokeList
typedef Security::LockingPointer< DH, DH_free_cpp, HardFun< int, DH *, DH_up_ref > > DhePointer
typedef int ErrorCode
 Squid-defined error code (<0), an error code returned by X.509 API, or zero. More...
typedef unsigned long LibErrorCode
 TLS library-reported non-validation error. More...
typedef std::unordered_set< Security::ErrorCodeErrors
typedef long ParsedOptions
typedef long ParsedPortFlags
typedef RefCount< ErrorDetailErrorDetailPointer
typedef std::unordered_set< Extension::TypeExtensions
 Extension types optimized for fast lookups. More...
typedef SessionPointer::element_type * ConnectionPointer
typedef HardFun< bool, const void *, nilFunctionNilFunctor
typedef std::shared_ptr< SSL > SessionPointer
typedef std::unique_ptr< SSL_SESSION, HardFun< void, SSL_SESSION *, &SSL_SESSION_free > > SessionStatePointer


enum  ContentType {
  ctChangeCipherSpec = 20,
  ctAlert = 21,
  ctHandshake = 22,
  ctApplicationData = 23
 TLS Record Layer's content types from RFC 5246 Section 6.2.1. More...
enum  HandshakeType {
  hskClientHello = 1,
  hskServerHello = 2,
  hskCertificate = 11,
  hskServerHelloDone = 14
 TLS Handshake protocol's handshake types from RFC 5246 Section 7.4. More...


std::ostream & operator<< (std::ostream &, const Security::EncryptorAnswer &)
ErrorCode ErrorCodeFromName (const char *name)
const char * ErrorNameFromCode (ErrorCode err, bool prefixRawCode=false)
 CtoCpp1 (X509_free, X509 *)
 CtoCpp1 (X509_CRL_free, X509_CRL *)
 CtoCpp1 (DH_free, DH *)
const char * ErrorString (const LibErrorCode code)
 converts numeric LibErrorCode into a human-friendlier string More...
static Extensions SupportedExtensions ()
 A helper function to create a set of all supported TLS extensions. More...
static AnyP::ProtocolVersion ParseProtocolVersionBase (Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict)
static AnyP::ProtocolVersion ParseProtocolVersion (Parser::BinaryTokenizer &tk)
static AnyP::ProtocolVersion ParseOptionalProtocolVersion (Parser::BinaryTokenizer &tk, const char *contextLabel)
std::ostream & operator<< (std::ostream &os, Security::TlsDetails const &details)
bool TlsFamilyProtocol (const AnyP::ProtocolVersion &version)
 whether the given protocol belongs to the TLS/SSL group of protocols More...
bool TlsVersionEarlierThan (const AnyP::ProtocolVersion &a, const AnyP::ProtocolVersion &b)
 whether TLS/SSL protocol a precedes TLS/SSL protocol b More...
bool Tls1p2orEarlier (const AnyP::ProtocolVersion &p)
 whether the given TLS/SSL protocol is TLS v1.2 or earlier, including SSL More...
bool Tls1p3orLater (const AnyP::ProtocolVersion &p)
 whether the given TLS/SSL protocol is TLS v1.3 or later More...
template<typename Fun >
static IoResult Handshake (Comm::Connection &, ErrorCode, Fun)
static void PrepForIo ()
IoResult Accept (Comm::Connection &transport)
 accept a TLS connection over the specified to-Squid transport connection More...
IoResult Connect (Comm::Connection &transport)
 establish a TLS connection over the specified from-Squid transport connection More...
void ForgetErrors ()
 clear any errors that a TLS library has accumulated in its global storage More...
bool nilFunction (const void *)
bool CreateClientSession (const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx)
bool CreateServerSession (const Security::ContextPointer &, const Comm::ConnectionPointer &, Security::PeerOptions &, const char *squidCtx)
void SessionSendGoodbye (const Security::SessionPointer &)
 send the shutdown/bye notice for an active TLS session. More...
bool SessionIsResumed (const Security::SessionPointer &)
 whether the session is a resumed one More...
void MaybeGetSessionResumeData (const Security::SessionPointer &, Security::SessionStatePointer &data)
void SetSessionResumeData (const Security::SessionPointer &, const Security::SessionStatePointer &)
void SetSessionCacheCallbacks (Security::ContextPointer &)
 Setup the given TLS context with callbacks used to manage the session cache. More...
Security::ContextPointer GetFrom (Security::SessionPointer &s)
 Helper function to retrieve a (non-locked) ContextPointer from a SessionPointer. More...
Security::SessionPointer NewSessionObject (const Security::ContextPointer &)


static const ErrorCodeNames TheErrorCodeNames
static const uint64_t HelloRandomSize = 32
 The size of the TLS Random structure from RFC 5246 Section More...
PeerOptions ProxyOutgoingConfig
 configuration options for DIRECT server access More...

Typedef Documentation

◆ CertErrors

Definition at line 62 of file forward.h.

◆ Certificate

typedef X509 Security::Certificate

Definition at line 65 of file forward.h.

◆ CertList

Definition at line 91 of file forward.h.

◆ CertPointer

typedef Security::LockingPointer<X509, X509_free_cpp, HardFun<int, X509 *, X509_up_ref> > Security::CertPointer

Definition at line 74 of file forward.h.

◆ CertRevokeList

Definition at line 93 of file forward.h.

◆ ConnectionPointer

typedef SessionPointer::element_type* Security::ConnectionPointer

Definition at line 21 of file

◆ ContextPointer

typedef std::shared_ptr<SSL_CTX> Security::ContextPointer

Definition at line 29 of file Context.h.

◆ CrlPointer

typedef Security::LockingPointer<X509_CRL, X509_CRL_free_cpp, HardFun<int, X509_CRL *, X509_CRL_up_ref> > Security::CrlPointer

Definition at line 83 of file forward.h.

◆ DhePointer

typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > Security::DhePointer

Definition at line 97 of file forward.h.

◆ ErrorCode

Definition at line 105 of file forward.h.

◆ ErrorCodeNames

typedef std::map<ErrorCode, const char *> Security::ErrorCodeNames

Definition at line 31 of file

◆ ErrorDetailPointer

Definition at line 189 of file forward.h.

◆ Errors

typedef std::unordered_set<Security::ErrorCode> Security::Errors

set of Squid defined TLS error codes

using std::unordered_set ensures values are unique, with fast lookup

Definition at line 135 of file forward.h.

◆ Extensions

typedef std::unordered_set<Extension::Type> Security::Extensions

Definition at line 105 of file

◆ LibErrorCode

typedef unsigned long Security::LibErrorCode

the result of the first ERR_get_error(3SSL) call after a library call; openssl errstr expands these numbers into human-friendlier strings like error:1408F09C:SSL routines:ssl3_get_record:http request

Definition at line 112 of file forward.h.

◆ NilFunctor

typedef HardFun<bool, const void *, nilFunction> Security::NilFunctor

Definition at line 41 of file LockingPointer.h.

◆ ParsedOptions

Definition at line 162 of file forward.h.

◆ ParsedPortFlags

bitmask representing configured http(s)_port sslflags as well tls_outgoing_options flags, cache_peer sslflags, and icap_service tls-flags

Definition at line 172 of file forward.h.

◆ SessionPointer

typedef std::shared_ptr<SSL> Security::SessionPointer

Definition at line 44 of file Session.h.

◆ SessionStatePointer

typedef std::unique_ptr<SSL_SESSION, HardFun<void, SSL_SESSION*, &SSL_SESSION_free> > Security::SessionStatePointer

Definition at line 46 of file Session.h.

Enumeration Type Documentation

◆ ContentType


Definition at line 29 of file

◆ HandshakeType


Definition at line 57 of file

Function Documentation

◆ Accept()

Security::IoResult Security::Accept ( Comm::Connection transport)

Definition at line 164 of file

References Handshake(), and SQUID_TLS_ERR_ACCEPT.

Referenced by clientNegotiateSSL(), and ConnStateData::startPeekAndSplice().

◆ Connect()

Security::IoResult Security::Connect ( Comm::Connection transport)

Definition at line 179 of file

References Handshake(), and SQUID_TLS_ERR_CONNECT.

Referenced by Security::PeerConnector::negotiate().

◆ CreateClientSession()

bool Security::CreateClientSession ( const Security::ContextPointer ctx,
const Comm::ConnectionPointer c,
const char *  squidCtx 

Creates TLS Client connection structure (aka 'session' state) and initializes TLS/SSL I/O (Comm and BIO). On errors, emits DBG_IMPORTANT with details and returns false.

Definition at line 184 of file

References Security::Io::BIO_TO_SERVER, CreateSession(), Comm::Connection::getPeer(), and ProxyOutgoingConfig.

Referenced by Security::PeerConnector::initialize().

◆ CreateServerSession()

bool Security::CreateServerSession ( const Security::ContextPointer ctx,
const Comm::ConnectionPointer c,
Security::PeerOptions o,
const char *  squidCtx 

Creates TLS Server connection structure (aka 'session' state) and initializes TLS/SSL I/O (Comm and BIO). On errors, emits DBG_IMPORTANT with details and returns false.

Definition at line 194 of file

References Security::Io::BIO_TO_CLIENT, and CreateSession().

Referenced by httpsCreate().

◆ CtoCpp1() [1/3]

Security::CtoCpp1 ( DH_free  ,
DH *   

◆ CtoCpp1() [2/3]

Security::CtoCpp1 ( X509_CRL_free  ,
X509_CRL *   

◆ CtoCpp1() [3/3]

Security::CtoCpp1 ( X509_free  ,
X509 *   

◆ ErrorCodeFromName()

Security::ErrorCode Security::ErrorCodeFromName ( const char *  name)
ErrorCode with a given name (or zero)

Definition at line 407 of file

References SQUID_TLS_ERR_CONNECT, and TheErrorCodeNames.

Referenced by Ssl::GetErrorCode().

◆ ErrorNameFromCode()

const char * Security::ErrorNameFromCode ( ErrorCode  err,
bool  prefixRawCode = false 
string representation of ErrorCode, including raw X.509 error codes
prefixRawCodewhether to prefix raw codes with "SSL_ERR="

Definition at line 427 of file

References TheErrorCodeNames.

Referenced by Security::ErrorDetail::err_code(), and Ssl::GetErrorName().

◆ ErrorString()

◆ ForgetErrors()

void Security::ForgetErrors ( )

Definition at line 28 of file

References asHex(), and debugs.

Referenced by Security::ErrorDetail::ErrorDetail(), and PrepForIo().

◆ GetFrom()

Security::ContextPointer Security::GetFrom ( Security::SessionPointer s)

◆ Handshake()

template<typename Fun >
static IoResult Security::Handshake ( Comm::Connection ,
ErrorCode  ,

Referenced by Accept(), and Connect().

◆ MaybeGetSessionResumeData()

void Security::MaybeGetSessionResumeData ( const Security::SessionPointer s,
Security::SessionStatePointer data 

When the session is not a resumed session, retrieve the details needed to resume a later connection and store them in 'data'. This may result in 'data' becoming a nil Pointer if no details exist or an error occurs.

When the session is already a resumed session, do nothing and leave 'data' unhanged. XXX: is this latter behaviour always correct?

Definition at line 226 of file

References data, debugs, ErrorString(), and SessionIsResumed().

Referenced by Security::BlindPeerConnector::noteNegotiationDone(), and Ssl::IcapPeerConnector::noteNegotiationDone().

◆ NewSessionObject()

Security::SessionPointer Security::NewSessionObject ( const Security::ContextPointer ctx)
use the PeerOptions/ServerOptions API methods instead. Wraps SessionPointer value creation to reduce risk of a nasty hack in ssl/

Definition at line 97 of file

References debugs.

Referenced by CreateSession(), and Ssl::verifySslCertificate().

◆ nilFunction()

bool Security::nilFunction ( const void *  )

Definition at line 40 of file LockingPointer.h.

◆ operator<<() [1/2]

std::ostream & Security::operator<< ( std::ostream &  os,
const Security::EncryptorAnswer answer 

◆ operator<<() [2/2]

std::ostream& Security::operator<< ( std::ostream &  os,
Security::TlsDetails const &  details 

Definition at line 54 of file Handshake.h.

References Security::TlsDetails::print().

◆ ParseOptionalProtocolVersion()

static AnyP::ProtocolVersion Security::ParseOptionalProtocolVersion ( Parser::BinaryTokenizer tk,
const char *  contextLabel 

parse a framing-unrelated TLS ProtocolVersion

Return values
PROTO_NONEfor unsupported values

Definition at line 147 of file

References ParseProtocolVersionBase().

Referenced by Security::HandshakeParser::parseSupportedVersionsExtension().

◆ ParseProtocolVersion()

static AnyP::ProtocolVersion Security::ParseProtocolVersion ( Parser::BinaryTokenizer tk)

parse a framing-related TLS ProtocolVersion

a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE

Definition at line 139 of file

References ParseProtocolVersionBase().

Referenced by Security::TLSPlaintext::TLSPlaintext(), Security::HandshakeParser::parseClientHelloHandshakeMessage(), Security::HandshakeParser::parseServerHelloHandshakeMessage(), and Security::HandshakeParser::parseVersion2HandshakeMessage().

◆ ParseProtocolVersionBase()

static AnyP::ProtocolVersion Security::ParseProtocolVersionBase ( Parser::BinaryTokenizer tk,
const char *  contextLabel,
const bool  beStrict 

parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion

Return values
PROTO_NONEfor unsupported values (in relaxed mode)

Definition at line 111 of file

References asHex(), debugs, Here, AnyP::PROTO_SSL, AnyP::PROTO_TLS, Ftp::ProtocolVersion(), ToSBuf(), and Parser::BinaryTokenizer::uint8().

Referenced by ParseOptionalProtocolVersion(), and ParseProtocolVersion().

◆ PrepForIo()

static void Security::PrepForIo ( )

the steps necessary to perform before the upcoming TLS I/O to correctly interpret/detail the outcome of that I/O

Definition at line 40 of file

References ForgetErrors().

◆ SessionIsResumed()

bool Security::SessionIsResumed ( const Security::SessionPointer s)

Definition at line 213 of file

References debugs.

Referenced by clientNegotiateSSL(), and MaybeGetSessionResumeData().

◆ SessionSendGoodbye()

void Security::SessionSendGoodbye ( const Security::SessionPointer s)

Definition at line 200 of file

References debugs.

Referenced by commStartTlsClose().

◆ SetSessionCacheCallbacks()

void Security::SetSessionCacheCallbacks ( Security::ContextPointer ctx)

◆ SetSessionResumeData()

void Security::SetSessionResumeData ( const Security::SessionPointer s,
const Security::SessionStatePointer data 

Set the data for resuming a previous session. Needs to be done before using the SessionPointer for a handshake.

Definition at line 247 of file

References data, DBG_CRITICAL, debugs, and ErrorString().

Referenced by Ssl::IcapPeerConnector::initialize(), and Security::BlindPeerConnector::initialize().

◆ SupportedExtensions()

static Security::Extensions Security::SupportedExtensions ( )

Definition at line 711 of file

Referenced by Security::Extension::supported().

◆ Tls1p2orEarlier()

bool Security::Tls1p2orEarlier ( const AnyP::ProtocolVersion p)

◆ Tls1p3orLater()

◆ TlsFamilyProtocol()

bool Security::TlsFamilyProtocol ( const AnyP::ProtocolVersion version)

◆ TlsVersionEarlierThan()

bool Security::TlsVersionEarlierThan ( const AnyP::ProtocolVersion a,
const AnyP::ProtocolVersion b 

Variable Documentation

◆ HelloRandomSize

const uint64_t Security::HelloRandomSize = 32

◆ ProxyOutgoingConfig

Security::PeerOptions Security::ProxyOutgoingConfig

◆ TheErrorCodeNames

const ErrorCodeNames Security::TheErrorCodeNames

Definition at line 32 of file

Referenced by ErrorCodeFromName(), and ErrorNameFromCode().






Web Site Translations