Network/connection security abstraction layer.
Namespaces | |
Io | |
Classes | |
class | Alert |
TLS Alert protocol frame from RFC 5246 Section 7.2. More... | |
class | BlindPeerConnector |
A simple PeerConnector for SSL/TLS cache_peers. No SslBump capabilities. More... | |
class | CertError |
class | EncryptorAnswer |
class | ErrorDetail |
class | Extension |
TLS Hello Extension from RFC 5246 Section 7.4.1.4. More... | |
class | Handshake |
TLS Handshake Protocol frame from RFC 5246 Section 7.4. More... | |
class | HandshakeParser |
Incremental TLS/SSL Handshake parser. More... | |
class | IoResult |
a summary a TLS I/O operation outcome More... | |
class | KeyData |
TLS certificate and private key details from squid.conf. More... | |
class | LockingPointer |
class | NegotiationHistory |
class | PeerConnector |
class | PeerOptions |
TLS squid.conf settings for a remote server peer. More... | |
class | ServerOptions |
TLS squid.conf settings for a listening port. More... | |
class | Sslv2Record |
draft-hickman-netscape-ssl-00. Section 4.1. SSL Record Header Format More... | |
class | TlsDetails |
class | TLSPlaintext |
TLS Record Layer's frame from RFC 5246 Section 6.2.1. More... | |
Typedefs | |
typedef std::shared_ptr< SSL_CTX > | ContextPointer |
typedef std::map< ErrorCode, const char * > | ErrorCodeNames |
typedef CbDataList< Security::CertError > | CertErrors |
Holds a list of X.509 certificate errors. More... | |
typedef X509 | Certificate |
typedef Security::LockingPointer< X509, X509_free_cpp, HardFun< int, X509 *, X509_up_ref > > | CertPointer |
typedef Security::LockingPointer< X509_CRL, X509_CRL_free_cpp, HardFun< int, X509_CRL *, X509_CRL_up_ref > > | CrlPointer |
typedef std::list< Security::CertPointer > | CertList |
typedef std::list< Security::CrlPointer > | CertRevokeList |
typedef Security::LockingPointer< DH, DH_free_cpp, HardFun< int, DH *, DH_up_ref > > | DhePointer |
typedef int | ErrorCode |
Squid-defined error code (<0), an error code returned by X.509 API, or zero. More... | |
typedef unsigned long | LibErrorCode |
TLS library-reported non-validation error. More... | |
typedef std::unordered_set< Security::ErrorCode > | Errors |
typedef long | ParsedOptions |
typedef long | ParsedPortFlags |
typedef RefCount< ErrorDetail > | ErrorDetailPointer |
typedef std::unordered_set< Extension::Type > | Extensions |
Extension types optimized for fast lookups. More... | |
typedef SessionPointer::element_type * | ConnectionPointer |
typedef HardFun< bool, const void *, nilFunction > | NilFunctor |
typedef std::shared_ptr< SSL > | SessionPointer |
typedef std::unique_ptr< SSL_SESSION, HardFun< void, SSL_SESSION *, &SSL_SESSION_free > > | SessionStatePointer |
Enumerations | |
enum | ContentType { ctChangeCipherSpec = 20, ctAlert = 21, ctHandshake = 22, ctApplicationData = 23 } |
TLS Record Layer's content types from RFC 5246 Section 6.2.1. More... | |
enum | HandshakeType { hskClientHello = 1, hskServerHello = 2, hskCertificate = 11, hskServerHelloDone = 14 } |
TLS Handshake protocol's handshake types from RFC 5246 Section 7.4. More... | |
Functions | |
std::ostream & | operator<< (std::ostream &, const Security::EncryptorAnswer &) |
ErrorCode | ErrorCodeFromName (const char *name) |
const char * | ErrorNameFromCode (ErrorCode err, bool prefixRawCode=false) |
CtoCpp1 (X509_free, X509 *) | |
CtoCpp1 (X509_CRL_free, X509_CRL *) | |
CtoCpp1 (DH_free, DH *) | |
const char * | ErrorString (const LibErrorCode code) |
converts numeric LibErrorCode into a human-friendlier string More... | |
static Extensions | SupportedExtensions () |
A helper function to create a set of all supported TLS extensions. More... | |
static AnyP::ProtocolVersion | ParseProtocolVersionBase (Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict) |
static AnyP::ProtocolVersion | ParseProtocolVersion (Parser::BinaryTokenizer &tk) |
static AnyP::ProtocolVersion | ParseOptionalProtocolVersion (Parser::BinaryTokenizer &tk, const char *contextLabel) |
std::ostream & | operator<< (std::ostream &os, Security::TlsDetails const &details) |
bool | TlsFamilyProtocol (const AnyP::ProtocolVersion &version) |
whether the given protocol belongs to the TLS/SSL group of protocols More... | |
bool | TlsVersionEarlierThan (const AnyP::ProtocolVersion &a, const AnyP::ProtocolVersion &b) |
whether TLS/SSL protocol a precedes TLS/SSL protocol b More... | |
bool | Tls1p2orEarlier (const AnyP::ProtocolVersion &p) |
whether the given TLS/SSL protocol is TLS v1.2 or earlier, including SSL More... | |
bool | Tls1p3orLater (const AnyP::ProtocolVersion &p) |
whether the given TLS/SSL protocol is TLS v1.3 or later More... | |
template<typename Fun > | |
static IoResult | Handshake (Comm::Connection &, ErrorCode, Fun) |
static void | PrepForIo () |
IoResult | Accept (Comm::Connection &transport) |
accept a TLS connection over the specified to-Squid transport connection More... | |
IoResult | Connect (Comm::Connection &transport) |
establish a TLS connection over the specified from-Squid transport connection More... | |
void | ForgetErrors () |
clear any errors that a TLS library has accumulated in its global storage More... | |
bool | nilFunction (const void *) |
bool | CreateClientSession (const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx) |
bool | CreateServerSession (const Security::ContextPointer &, const Comm::ConnectionPointer &, Security::PeerOptions &, const char *squidCtx) |
void | SessionSendGoodbye (const Security::SessionPointer &) |
send the shutdown/bye notice for an active TLS session. More... | |
bool | SessionIsResumed (const Security::SessionPointer &) |
whether the session is a resumed one More... | |
void | MaybeGetSessionResumeData (const Security::SessionPointer &, Security::SessionStatePointer &data) |
void | SetSessionResumeData (const Security::SessionPointer &, const Security::SessionStatePointer &) |
void | SetSessionCacheCallbacks (Security::ContextPointer &) |
Setup the given TLS context with callbacks used to manage the session cache. More... | |
Security::ContextPointer | GetFrom (Security::SessionPointer &s) |
Helper function to retrieve a (non-locked) ContextPointer from a SessionPointer. More... | |
Security::SessionPointer | NewSessionObject (const Security::ContextPointer &) |
Variables | |
static const ErrorCodeNames | TheErrorCodeNames |
static const uint64_t | HelloRandomSize = 32 |
The size of the TLS Random structure from RFC 5246 Section 7.4.1.2. More... | |
PeerOptions | ProxyOutgoingConfig |
configuration options for DIRECT server access More... | |
Typedef Documentation
◆ CertErrors
◆ Certificate
typedef X509 Security::Certificate |
◆ CertList
typedef std::list<Security::CertPointer> Security::CertList |
◆ CertPointer
typedef Security::LockingPointer<X509, X509_free_cpp, HardFun<int, X509 *, X509_up_ref> > Security::CertPointer |
◆ CertRevokeList
typedef std::list<Security::CrlPointer> Security::CertRevokeList |
◆ ConnectionPointer
typedef SessionPointer::element_type* Security::ConnectionPointer |
◆ ContextPointer
typedef std::shared_ptr<SSL_CTX> Security::ContextPointer |
◆ CrlPointer
typedef Security::LockingPointer<X509_CRL, X509_CRL_free_cpp, HardFun<int, X509_CRL *, X509_CRL_up_ref> > Security::CrlPointer |
◆ DhePointer
typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > Security::DhePointer |
◆ ErrorCode
typedef int Security::ErrorCode |
◆ ErrorCodeNames
typedef std::map<ErrorCode, const char *> Security::ErrorCodeNames |
Definition at line 31 of file ErrorDetail.cc.
◆ ErrorDetailPointer
◆ Errors
typedef std::unordered_set<Security::ErrorCode> Security::Errors |
◆ Extensions
typedef std::unordered_set<Extension::Type> Security::Extensions |
Definition at line 105 of file Handshake.cc.
◆ LibErrorCode
typedef unsigned long Security::LibErrorCode |
◆ NilFunctor
typedef HardFun<bool, const void *, nilFunction> Security::NilFunctor |
Definition at line 41 of file LockingPointer.h.
◆ ParsedOptions
typedef long Security::ParsedOptions |
◆ ParsedPortFlags
typedef long Security::ParsedPortFlags |
◆ SessionPointer
typedef std::shared_ptr<SSL> Security::SessionPointer |
◆ SessionStatePointer
typedef std::unique_ptr<SSL_SESSION, HardFun<void, SSL_SESSION*, &SSL_SESSION_free> > Security::SessionStatePointer |
Enumeration Type Documentation
◆ ContentType
Enumerator | |
---|---|
ctChangeCipherSpec | |
ctAlert | |
ctHandshake | |
ctApplicationData |
Definition at line 29 of file Handshake.cc.
◆ HandshakeType
Enumerator | |
---|---|
hskClientHello | |
hskServerHello | |
hskCertificate | |
hskServerHelloDone |
Definition at line 57 of file Handshake.cc.
Function Documentation
◆ Accept()
Security::IoResult Security::Accept | ( | Comm::Connection & | transport | ) |
Definition at line 164 of file Io.cc.
References Handshake(), and SQUID_TLS_ERR_ACCEPT.
Referenced by clientNegotiateSSL(), and ConnStateData::startPeekAndSplice().
◆ Connect()
Security::IoResult Security::Connect | ( | Comm::Connection & | transport | ) |
Definition at line 179 of file Io.cc.
References Handshake(), and SQUID_TLS_ERR_CONNECT.
Referenced by Security::PeerConnector::negotiate().
◆ CreateClientSession()
bool Security::CreateClientSession | ( | const Security::ContextPointer & | ctx, |
const Comm::ConnectionPointer & | c, | ||
const char * | squidCtx | ||
) |
Creates TLS Client connection structure (aka 'session' state) and initializes TLS/SSL I/O (Comm and BIO). On errors, emits DBG_IMPORTANT with details and returns false.
Definition at line 184 of file Session.cc.
References Security::Io::BIO_TO_SERVER, CreateSession(), Comm::Connection::getPeer(), and ProxyOutgoingConfig.
Referenced by Security::PeerConnector::initialize().
◆ CreateServerSession()
bool Security::CreateServerSession | ( | const Security::ContextPointer & | ctx, |
const Comm::ConnectionPointer & | c, | ||
Security::PeerOptions & | o, | ||
const char * | squidCtx | ||
) |
Creates TLS Server connection structure (aka 'session' state) and initializes TLS/SSL I/O (Comm and BIO). On errors, emits DBG_IMPORTANT with details and returns false.
Definition at line 194 of file Session.cc.
References Security::Io::BIO_TO_CLIENT, and CreateSession().
Referenced by httpsCreate().
◆ CtoCpp1() [1/3]
Security::CtoCpp1 | ( | DH_free | , |
DH * | |||
) |
◆ CtoCpp1() [2/3]
Security::CtoCpp1 | ( | X509_CRL_free | , |
X509_CRL * | |||
) |
◆ CtoCpp1() [3/3]
Security::CtoCpp1 | ( | X509_free | , |
X509 * | |||
) |
◆ ErrorCodeFromName()
Security::ErrorCode Security::ErrorCodeFromName | ( | const char * | name | ) |
- Returns
- ErrorCode with a given name (or zero)
Definition at line 407 of file ErrorDetail.cc.
References SQUID_TLS_ERR_CONNECT, and TheErrorCodeNames.
Referenced by Ssl::GetErrorCode().
◆ ErrorNameFromCode()
- Returns
- string representation of ErrorCode, including raw X.509 error codes
- Parameters
-
prefixRawCode whether to prefix raw codes with "SSL_ERR="
Definition at line 427 of file ErrorDetail.cc.
References TheErrorCodeNames.
Referenced by Security::ErrorDetail::err_code(), and Ssl::GetErrorName().
◆ ErrorString()
|
inline |
Definition at line 123 of file forward.h.
References code.
Referenced by Ssl::chainCertificatesToSSLContext(), Security::PeerOptions::createBlankContext(), Security::ServerOptions::createBlankContext(), CreateSession(), Security::ServerOptions::createStaticServerContext(), Security::ErrorDetail::err_lib_error(), Ssl::InitClientContext(), Ssl::Initialize(), issuerExistInCaDb(), loadSystemTrustedCa(), Security::KeyData::loadX509CertFromFile(), Security::KeyData::loadX509ChainFromFile(), MaybeGetSessionResumeData(), Security::PeerOptions::parseOptions(), Ssl::setClientSNI(), SetSessionResumeData(), Security::PeerOptions::updateContextCa(), Security::ServerOptions::updateContextClientCa(), Security::ServerOptions::updateContextConfig(), Security::ServerOptions::updateContextEecdh(), Security::PeerOptions::updateContextTrust(), and Security::PeerOptions::updateSessionOptions().
◆ ForgetErrors()
void Security::ForgetErrors | ( | ) |
Definition at line 28 of file Io.cc.
References asHex(), and debugs.
Referenced by Security::ErrorDetail::ErrorDetail(), and PrepForIo().
◆ GetFrom()
|
inline |
Definition at line 90 of file Session.h.
Referenced by ConnStateData::getSslContextStart(), and ConnStateData::sslCrtdHandleReply().
◆ Handshake()
|
static |
◆ MaybeGetSessionResumeData()
void Security::MaybeGetSessionResumeData | ( | const Security::SessionPointer & | s, |
Security::SessionStatePointer & | data | ||
) |
When the session is not a resumed session, retrieve the details needed to resume a later connection and store them in 'data'. This may result in 'data' becoming a nil Pointer if no details exist or an error occurs.
When the session is already a resumed session, do nothing and leave 'data' unhanged. XXX: is this latter behaviour always correct?
Definition at line 226 of file Session.cc.
References data, debugs, ErrorString(), and SessionIsResumed().
Referenced by Security::BlindPeerConnector::noteNegotiationDone(), and Ssl::IcapPeerConnector::noteNegotiationDone().
◆ NewSessionObject()
Security::SessionPointer Security::NewSessionObject | ( | const Security::ContextPointer & | ctx | ) |
- Deprecated:
- use the PeerOptions/ServerOptions API methods instead. Wraps SessionPointer value creation to reduce risk of a nasty hack in ssl/support.cc.
Definition at line 97 of file Session.cc.
References debugs.
Referenced by CreateSession(), and Ssl::verifySslCertificate().
◆ nilFunction()
|
inline |
Definition at line 40 of file LockingPointer.h.
◆ operator<<() [1/2]
std::ostream & Security::operator<< | ( | std::ostream & | os, |
const Security::EncryptorAnswer & | answer | ||
) |
Definition at line 19 of file EncryptorAnswer.cc.
References Security::EncryptorAnswer::conn, and Security::EncryptorAnswer::error.
◆ operator<<() [2/2]
|
inline |
Definition at line 54 of file Handshake.h.
References Security::TlsDetails::print().
◆ ParseOptionalProtocolVersion()
|
static |
parse a framing-unrelated TLS ProtocolVersion
- Return values
-
PROTO_NONE for unsupported values
Definition at line 147 of file Handshake.cc.
References ParseProtocolVersionBase().
Referenced by Security::HandshakeParser::parseSupportedVersionsExtension().
◆ ParseProtocolVersion()
|
static |
parse a framing-related TLS ProtocolVersion
- Returns
- a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE
Definition at line 139 of file Handshake.cc.
References ParseProtocolVersionBase().
Referenced by Security::TLSPlaintext::TLSPlaintext(), Security::HandshakeParser::parseClientHelloHandshakeMessage(), Security::HandshakeParser::parseServerHelloHandshakeMessage(), and Security::HandshakeParser::parseVersion2HandshakeMessage().
◆ ParseProtocolVersionBase()
|
static |
parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion
- Return values
-
PROTO_NONE for unsupported values (in relaxed mode)
Definition at line 111 of file Handshake.cc.
References asHex(), debugs, Here, AnyP::PROTO_SSL, AnyP::PROTO_TLS, Ftp::ProtocolVersion(), ToSBuf(), and Parser::BinaryTokenizer::uint8().
Referenced by ParseOptionalProtocolVersion(), and ParseProtocolVersion().
◆ PrepForIo()
|
static |
the steps necessary to perform before the upcoming TLS I/O to correctly interpret/detail the outcome of that I/O
Definition at line 40 of file Io.cc.
References ForgetErrors().
◆ SessionIsResumed()
bool Security::SessionIsResumed | ( | const Security::SessionPointer & | s | ) |
Definition at line 213 of file Session.cc.
References debugs.
Referenced by clientNegotiateSSL(), and MaybeGetSessionResumeData().
◆ SessionSendGoodbye()
void Security::SessionSendGoodbye | ( | const Security::SessionPointer & | s | ) |
◆ SetSessionCacheCallbacks()
void Security::SetSessionCacheCallbacks | ( | Security::ContextPointer & | ctx | ) |
Definition at line 376 of file Session.cc.
References get_session_cb(), remove_session_cb(), SessionCache, and store_session_cb().
Referenced by initializeSessionCache(), and Security::ServerOptions::updateContextConfig().
◆ SetSessionResumeData()
void Security::SetSessionResumeData | ( | const Security::SessionPointer & | s, |
const Security::SessionStatePointer & | data | ||
) |
Set the data for resuming a previous session. Needs to be done before using the SessionPointer for a handshake.
Definition at line 247 of file Session.cc.
References data, DBG_CRITICAL, debugs, and ErrorString().
Referenced by Ssl::IcapPeerConnector::initialize(), and Security::BlindPeerConnector::initialize().
◆ SupportedExtensions()
|
static |
Definition at line 711 of file Handshake.cc.
Referenced by Security::Extension::supported().
◆ Tls1p2orEarlier()
|
inline |
Definition at line 156 of file Handshake.h.
References AnyP::PROTO_TLS, and TlsVersionEarlierThan().
Referenced by applyTlsDetailsToSSL(), Security::HandshakeParser::parseSupportedVersionsExtension(), and Tls1p3orLater().
◆ Tls1p3orLater()
|
inline |
Definition at line 163 of file Handshake.h.
References Tls1p2orEarlier().
Referenced by Ssl::ServerBio::encryptedCertificates(), Security::HandshakeParser::parseChangeCipherCpecMessage(), and Security::HandshakeParser::parseHandshakeMessage().
◆ TlsFamilyProtocol()
|
inline |
Definition at line 136 of file Handshake.h.
References AnyP::PROTO_SSL, AnyP::PROTO_TLS, and version.
Referenced by Security::NegotiationHistory::printTlsVersion(), and TlsVersionEarlierThan().
◆ TlsVersionEarlierThan()
|
inline |
Definition at line 143 of file Handshake.h.
References Must, AnyP::PROTO_SSL, AnyP::ProtocolVersion::protocol, and TlsFamilyProtocol().
Referenced by Security::HandshakeParser::parseSupportedVersionsExtension(), and Tls1p2orEarlier().
Variable Documentation
◆ HelloRandomSize
|
static |
Definition at line 87 of file Handshake.cc.
Referenced by Security::HandshakeParser::parseClientHelloHandshakeMessage(), and Security::HandshakeParser::parseServerHelloHandshakeMessage().
◆ ProxyOutgoingConfig
|
extern |
Definition at line 24 of file PeerOptions.cc.
Referenced by configDoConfigure(), CreateClientSession(), Ssl::PeekingPeerConnector::initialize(), and parse_obsolete().
◆ TheErrorCodeNames
|
static |
Definition at line 32 of file ErrorDetail.cc.
Referenced by ErrorCodeFromName(), and ErrorNameFromCode().