Network/connection security abstraction layer.
Namespaces | |
| Io | |
Classes | |
| class | Alert |
| TLS Alert protocol frame from RFC 5246 Section 7.2. More... | |
| class | BlindPeerConnector |
| A simple PeerConnector for SSL/TLS cache_peers. No SslBump capabilities. More... | |
| class | CertError |
| class | EncryptorAnswer |
| class | ErrorDetail |
| class | Extension |
| TLS Hello Extension from RFC 5246 Section 7.4.1.4. More... | |
| class | Handshake |
| TLS Handshake Protocol frame from RFC 5246 Section 7.4. More... | |
| class | HandshakeParser |
| Incremental TLS/SSL Handshake parser. More... | |
| class | IoResult |
| a summary a TLS I/O operation outcome More... | |
| class | KeyData |
| TLS certificate and private key details from squid.conf. More... | |
| class | LockingPointer |
| class | NegotiationHistory |
| class | PeerConnector |
| class | PeerOptions |
| TLS squid.conf settings for a remote server peer. More... | |
| class | ServerOptions |
| TLS squid.conf settings for a listening port. More... | |
| class | Sslv2Record |
| draft-hickman-netscape-ssl-00. Section 4.1. SSL Record Header Format More... | |
| class | TlsDetails |
| class | TLSPlaintext |
| TLS Record Layer's frame from RFC 5246 Section 6.2.1. More... | |
Typedefs | |
| typedef std::shared_ptr< SSL_CTX > | ContextPointer |
| typedef std::map< ErrorCode, const char * > | ErrorCodeNames |
| typedef CbDataList< Security::CertError > | CertErrors |
| Holds a list of X.509 certificate errors. More... | |
| typedef X509 | Certificate |
| typedef Security::LockingPointer< X509, X509_free_cpp, HardFun< int, X509 *, X509_up_ref > > | CertPointer |
| typedef Security::LockingPointer< X509_CRL, X509_CRL_free_cpp, HardFun< int, X509_CRL *, X509_CRL_up_ref > > | CrlPointer |
| typedef std::list< Security::CertPointer > | CertList |
| typedef std::list< Security::CrlPointer > | CertRevokeList |
| typedef Security::LockingPointer< DH, DH_free_cpp, HardFun< int, DH *, DH_up_ref > > | DhePointer |
| typedef int | ErrorCode |
| Squid-defined error code (<0), an error code returned by X.509 API, or zero. More... | |
| typedef unsigned long | LibErrorCode |
| TLS library-reported non-validation error. More... | |
| typedef std::unordered_set< Security::ErrorCode > | Errors |
| typedef long | ParsedOptions |
| typedef long | ParsedPortFlags |
| typedef RefCount< ErrorDetail > | ErrorDetailPointer |
| typedef std::unordered_set< Extension::Type > | Extensions |
| Extension types optimized for fast lookups. More... | |
| typedef SessionPointer::element_type * | ConnectionPointer |
| typedef HardFun< bool, const void *, nilFunction > | NilFunctor |
| typedef std::shared_ptr< SSL > | SessionPointer |
| typedef std::unique_ptr< SSL_SESSION, HardFun< void, SSL_SESSION *, &SSL_SESSION_free > > | SessionStatePointer |
Enumerations | |
| enum | ContentType { ctChangeCipherSpec = 20, ctAlert = 21, ctHandshake = 22, ctApplicationData = 23 } |
| TLS Record Layer's content types from RFC 5246 Section 6.2.1. More... | |
| enum | HandshakeType { hskClientHello = 1, hskServerHello = 2, hskCertificate = 11, hskServerHelloDone = 14 } |
| TLS Handshake protocol's handshake types from RFC 5246 Section 7.4. More... | |
Functions | |
| std::ostream & | operator<< (std::ostream &, const Security::EncryptorAnswer &) |
| ErrorCode | ErrorCodeFromName (const char *name) |
| const char * | ErrorNameFromCode (ErrorCode err, bool prefixRawCode=false) |
| CtoCpp1 (X509_free, X509 *) | |
| CtoCpp1 (X509_CRL_free, X509_CRL *) | |
| CtoCpp1 (DH_free, DH *) | |
| const char * | ErrorString (const LibErrorCode code) |
| converts numeric LibErrorCode into a human-friendlier string More... | |
| static Extensions | SupportedExtensions () |
| A helper function to create a set of all supported TLS extensions. More... | |
| static AnyP::ProtocolVersion | ParseProtocolVersionBase (Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict) |
| static AnyP::ProtocolVersion | ParseProtocolVersion (Parser::BinaryTokenizer &tk) |
| static AnyP::ProtocolVersion | ParseOptionalProtocolVersion (Parser::BinaryTokenizer &tk, const char *contextLabel) |
| std::ostream & | operator<< (std::ostream &os, Security::TlsDetails const &details) |
| bool | TlsFamilyProtocol (const AnyP::ProtocolVersion &version) |
| whether the given protocol belongs to the TLS/SSL group of protocols More... | |
| bool | TlsVersionEarlierThan (const AnyP::ProtocolVersion &a, const AnyP::ProtocolVersion &b) |
whether TLS/SSL protocol a precedes TLS/SSL protocol b More... | |
| bool | Tls1p2orEarlier (const AnyP::ProtocolVersion &p) |
| whether the given TLS/SSL protocol is TLS v1.2 or earlier, including SSL More... | |
| bool | Tls1p3orLater (const AnyP::ProtocolVersion &p) |
| whether the given TLS/SSL protocol is TLS v1.3 or later More... | |
| template<typename Fun > | |
| static IoResult | Handshake (Comm::Connection &, ErrorCode, Fun) |
| static void | PrepForIo () |
| IoResult | Accept (Comm::Connection &transport) |
| accept a TLS connection over the specified to-Squid transport connection More... | |
| IoResult | Connect (Comm::Connection &transport) |
| establish a TLS connection over the specified from-Squid transport connection More... | |
| void | ForgetErrors () |
| clear any errors that a TLS library has accumulated in its global storage More... | |
| bool | nilFunction (const void *) |
| bool | CreateClientSession (const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx) |
| bool | CreateServerSession (const Security::ContextPointer &, const Comm::ConnectionPointer &, Security::PeerOptions &, const char *squidCtx) |
| void | SessionSendGoodbye (const Security::SessionPointer &) |
| send the shutdown/bye notice for an active TLS session. More... | |
| bool | SessionIsResumed (const Security::SessionPointer &) |
| whether the session is a resumed one More... | |
| void | MaybeGetSessionResumeData (const Security::SessionPointer &, Security::SessionStatePointer &data) |
| void | SetSessionResumeData (const Security::SessionPointer &, const Security::SessionStatePointer &) |
| void | SetSessionCacheCallbacks (Security::ContextPointer &) |
| Setup the given TLS context with callbacks used to manage the session cache. More... | |
| Security::ContextPointer | GetFrom (Security::SessionPointer &s) |
| Helper function to retrieve a (non-locked) ContextPointer from a SessionPointer. More... | |
| Security::SessionPointer | NewSessionObject (const Security::ContextPointer &) |
Variables | |
| static const ErrorCodeNames | TheErrorCodeNames |
| static const uint64_t | HelloRandomSize = 32 |
| The size of the TLS Random structure from RFC 5246 Section 7.4.1.2. More... | |
| PeerOptions | ProxyOutgoingConfig |
| configuration options for DIRECT server access More... | |
Typedef Documentation
◆ CertErrors
◆ Certificate
| typedef X509 Security::Certificate |
◆ CertList
| typedef std::list<Security::CertPointer> Security::CertList |
◆ CertPointer
| typedef Security::LockingPointer<X509, X509_free_cpp, HardFun<int, X509 *, X509_up_ref> > Security::CertPointer |
◆ CertRevokeList
| typedef std::list<Security::CrlPointer> Security::CertRevokeList |
◆ ConnectionPointer
| typedef SessionPointer::element_type* Security::ConnectionPointer |
◆ ContextPointer
| typedef std::shared_ptr<SSL_CTX> Security::ContextPointer |
◆ CrlPointer
| typedef Security::LockingPointer<X509_CRL, X509_CRL_free_cpp, HardFun<int, X509_CRL *, X509_CRL_up_ref> > Security::CrlPointer |
◆ DhePointer
| typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > Security::DhePointer |
◆ ErrorCode
| typedef int Security::ErrorCode |
◆ ErrorCodeNames
| typedef std::map<ErrorCode, const char *> Security::ErrorCodeNames |
Definition at line 31 of file ErrorDetail.cc.
◆ ErrorDetailPointer
◆ Errors
| typedef std::unordered_set<Security::ErrorCode> Security::Errors |
◆ Extensions
| typedef std::unordered_set<Extension::Type> Security::Extensions |
Definition at line 105 of file Handshake.cc.
◆ LibErrorCode
| typedef unsigned long Security::LibErrorCode |
◆ NilFunctor
| typedef HardFun<bool, const void *, nilFunction> Security::NilFunctor |
Definition at line 41 of file LockingPointer.h.
◆ ParsedOptions
| typedef long Security::ParsedOptions |
◆ ParsedPortFlags
| typedef long Security::ParsedPortFlags |
◆ SessionPointer
| typedef std::shared_ptr<SSL> Security::SessionPointer |
◆ SessionStatePointer
| typedef std::unique_ptr<SSL_SESSION, HardFun<void, SSL_SESSION*, &SSL_SESSION_free> > Security::SessionStatePointer |
Enumeration Type Documentation
◆ ContentType
| Enumerator | |
|---|---|
| ctChangeCipherSpec | |
| ctAlert | |
| ctHandshake | |
| ctApplicationData | |
Definition at line 29 of file Handshake.cc.
◆ HandshakeType
| Enumerator | |
|---|---|
| hskClientHello | |
| hskServerHello | |
| hskCertificate | |
| hskServerHelloDone | |
Definition at line 57 of file Handshake.cc.
Function Documentation
◆ Accept()
| Security::IoResult Security::Accept | ( | Comm::Connection & | transport | ) |
Definition at line 164 of file Io.cc.
References Handshake(), and SQUID_TLS_ERR_ACCEPT.
Referenced by clientNegotiateSSL(), and ConnStateData::startPeekAndSplice().
◆ Connect()
| Security::IoResult Security::Connect | ( | Comm::Connection & | transport | ) |
Definition at line 179 of file Io.cc.
References Handshake(), and SQUID_TLS_ERR_CONNECT.
Referenced by Security::PeerConnector::negotiate().
◆ CreateClientSession()
| bool Security::CreateClientSession | ( | const Security::ContextPointer & | ctx, |
| const Comm::ConnectionPointer & | c, | ||
| const char * | squidCtx | ||
| ) |
Creates TLS Client connection structure (aka 'session' state) and initializes TLS/SSL I/O (Comm and BIO). On errors, emits DBG_IMPORTANT with details and returns false.
Definition at line 184 of file Session.cc.
References Security::Io::BIO_TO_SERVER, CreateSession(), Comm::Connection::getPeer(), and ProxyOutgoingConfig.
Referenced by Security::PeerConnector::initialize().
◆ CreateServerSession()
| bool Security::CreateServerSession | ( | const Security::ContextPointer & | ctx, |
| const Comm::ConnectionPointer & | c, | ||
| Security::PeerOptions & | o, | ||
| const char * | squidCtx | ||
| ) |
Creates TLS Server connection structure (aka 'session' state) and initializes TLS/SSL I/O (Comm and BIO). On errors, emits DBG_IMPORTANT with details and returns false.
Definition at line 194 of file Session.cc.
References Security::Io::BIO_TO_CLIENT, and CreateSession().
Referenced by httpsCreate().
◆ CtoCpp1() [1/3]
| Security::CtoCpp1 | ( | DH_free | , |
| DH * | |||
| ) |
◆ CtoCpp1() [2/3]
| Security::CtoCpp1 | ( | X509_CRL_free | , |
| X509_CRL * | |||
| ) |
◆ CtoCpp1() [3/3]
| Security::CtoCpp1 | ( | X509_free | , |
| X509 * | |||
| ) |
◆ ErrorCodeFromName()
| Security::ErrorCode Security::ErrorCodeFromName | ( | const char * | name | ) |
- Returns
- ErrorCode with a given name (or zero)
Definition at line 407 of file ErrorDetail.cc.
References SQUID_TLS_ERR_CONNECT, and TheErrorCodeNames.
Referenced by Ssl::GetErrorCode().
◆ ErrorNameFromCode()
- Returns
- string representation of ErrorCode, including raw X.509 error codes
- Parameters
-
prefixRawCode whether to prefix raw codes with "SSL_ERR="
Definition at line 427 of file ErrorDetail.cc.
References TheErrorCodeNames.
Referenced by Security::ErrorDetail::err_code(), and Ssl::GetErrorName().
◆ ErrorString()
|
inline |
Definition at line 123 of file forward.h.
References code.
Referenced by Ssl::chainCertificatesToSSLContext(), Security::PeerOptions::createBlankContext(), Security::ServerOptions::createBlankContext(), CreateSession(), Security::ServerOptions::createStaticServerContext(), Security::ErrorDetail::err_lib_error(), Ssl::InitClientContext(), Ssl::Initialize(), issuerExistInCaDb(), loadSystemTrustedCa(), Security::KeyData::loadX509CertFromFile(), Security::KeyData::loadX509ChainFromFile(), MaybeGetSessionResumeData(), Security::PeerOptions::parseOptions(), Ssl::setClientSNI(), SetSessionResumeData(), Security::PeerOptions::updateContextCa(), Security::ServerOptions::updateContextClientCa(), Security::ServerOptions::updateContextConfig(), Security::ServerOptions::updateContextEecdh(), Security::PeerOptions::updateContextTrust(), and Security::PeerOptions::updateSessionOptions().
◆ ForgetErrors()
| void Security::ForgetErrors | ( | ) |
Definition at line 28 of file Io.cc.
References asHex(), and debugs.
Referenced by Security::ErrorDetail::ErrorDetail(), and PrepForIo().
◆ GetFrom()
|
inline |
Definition at line 90 of file Session.h.
Referenced by ConnStateData::getSslContextStart(), and ConnStateData::sslCrtdHandleReply().
◆ Handshake()
|
static |
◆ MaybeGetSessionResumeData()
| void Security::MaybeGetSessionResumeData | ( | const Security::SessionPointer & | s, |
| Security::SessionStatePointer & | data | ||
| ) |
When the session is not a resumed session, retrieve the details needed to resume a later connection and store them in 'data'. This may result in 'data' becoming a nil Pointer if no details exist or an error occurs.
When the session is already a resumed session, do nothing and leave 'data' unhanged. XXX: is this latter behaviour always correct?
Definition at line 226 of file Session.cc.
References data, debugs, ErrorString(), and SessionIsResumed().
Referenced by Security::BlindPeerConnector::noteNegotiationDone(), and Ssl::IcapPeerConnector::noteNegotiationDone().
◆ NewSessionObject()
| Security::SessionPointer Security::NewSessionObject | ( | const Security::ContextPointer & | ctx | ) |
- Deprecated:
- use the PeerOptions/ServerOptions API methods instead. Wraps SessionPointer value creation to reduce risk of a nasty hack in ssl/support.cc.
Definition at line 97 of file Session.cc.
References debugs.
Referenced by CreateSession(), and Ssl::verifySslCertificate().
◆ nilFunction()
|
inline |
Definition at line 40 of file LockingPointer.h.
◆ operator<<() [1/2]
| std::ostream & Security::operator<< | ( | std::ostream & | os, |
| const Security::EncryptorAnswer & | answer | ||
| ) |
Definition at line 19 of file EncryptorAnswer.cc.
References Security::EncryptorAnswer::conn, and Security::EncryptorAnswer::error.
◆ operator<<() [2/2]
|
inline |
Definition at line 54 of file Handshake.h.
References Security::TlsDetails::print().
◆ ParseOptionalProtocolVersion()
|
static |
parse a framing-unrelated TLS ProtocolVersion
- Return values
-
PROTO_NONE for unsupported values
Definition at line 147 of file Handshake.cc.
References ParseProtocolVersionBase().
Referenced by Security::HandshakeParser::parseSupportedVersionsExtension().
◆ ParseProtocolVersion()
|
static |
parse a framing-related TLS ProtocolVersion
- Returns
- a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE
Definition at line 139 of file Handshake.cc.
References ParseProtocolVersionBase().
Referenced by Security::TLSPlaintext::TLSPlaintext(), Security::HandshakeParser::parseClientHelloHandshakeMessage(), Security::HandshakeParser::parseServerHelloHandshakeMessage(), and Security::HandshakeParser::parseVersion2HandshakeMessage().
◆ ParseProtocolVersionBase()
|
static |
parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion
- Return values
-
PROTO_NONE for unsupported values (in relaxed mode)
Definition at line 111 of file Handshake.cc.
References asHex(), debugs, Here, AnyP::PROTO_SSL, AnyP::PROTO_TLS, Ftp::ProtocolVersion(), ToSBuf(), and Parser::BinaryTokenizer::uint8().
Referenced by ParseOptionalProtocolVersion(), and ParseProtocolVersion().
◆ PrepForIo()
|
static |
the steps necessary to perform before the upcoming TLS I/O to correctly interpret/detail the outcome of that I/O
Definition at line 40 of file Io.cc.
References ForgetErrors().
◆ SessionIsResumed()
| bool Security::SessionIsResumed | ( | const Security::SessionPointer & | s | ) |
Definition at line 213 of file Session.cc.
References debugs.
Referenced by clientNegotiateSSL(), and MaybeGetSessionResumeData().
◆ SessionSendGoodbye()
| void Security::SessionSendGoodbye | ( | const Security::SessionPointer & | s | ) |
◆ SetSessionCacheCallbacks()
| void Security::SetSessionCacheCallbacks | ( | Security::ContextPointer & | ctx | ) |
Definition at line 376 of file Session.cc.
References get_session_cb(), remove_session_cb(), SessionCache, and store_session_cb().
Referenced by initializeSessionCache(), and Security::ServerOptions::updateContextConfig().
◆ SetSessionResumeData()
| void Security::SetSessionResumeData | ( | const Security::SessionPointer & | s, |
| const Security::SessionStatePointer & | data | ||
| ) |
Set the data for resuming a previous session. Needs to be done before using the SessionPointer for a handshake.
Definition at line 247 of file Session.cc.
References data, DBG_CRITICAL, debugs, and ErrorString().
Referenced by Ssl::IcapPeerConnector::initialize(), and Security::BlindPeerConnector::initialize().
◆ SupportedExtensions()
|
static |
Definition at line 711 of file Handshake.cc.
Referenced by Security::Extension::supported().
◆ Tls1p2orEarlier()
|
inline |
Definition at line 156 of file Handshake.h.
References AnyP::PROTO_TLS, and TlsVersionEarlierThan().
Referenced by applyTlsDetailsToSSL(), Security::HandshakeParser::parseSupportedVersionsExtension(), and Tls1p3orLater().
◆ Tls1p3orLater()
|
inline |
Definition at line 163 of file Handshake.h.
References Tls1p2orEarlier().
Referenced by Ssl::ServerBio::encryptedCertificates(), Security::HandshakeParser::parseChangeCipherCpecMessage(), and Security::HandshakeParser::parseHandshakeMessage().
◆ TlsFamilyProtocol()
|
inline |
Definition at line 136 of file Handshake.h.
References AnyP::PROTO_SSL, AnyP::PROTO_TLS, and version.
Referenced by Security::NegotiationHistory::printTlsVersion(), and TlsVersionEarlierThan().
◆ TlsVersionEarlierThan()
|
inline |
Definition at line 143 of file Handshake.h.
References Must, AnyP::PROTO_SSL, AnyP::ProtocolVersion::protocol, and TlsFamilyProtocol().
Referenced by Security::HandshakeParser::parseSupportedVersionsExtension(), and Tls1p2orEarlier().
Variable Documentation
◆ HelloRandomSize
|
static |
Definition at line 87 of file Handshake.cc.
Referenced by Security::HandshakeParser::parseClientHelloHandshakeMessage(), and Security::HandshakeParser::parseServerHelloHandshakeMessage().
◆ ProxyOutgoingConfig
|
extern |
Definition at line 24 of file PeerOptions.cc.
Referenced by configDoConfigure(), CreateClientSession(), Ssl::PeekingPeerConnector::initialize(), and parse_obsolete().
◆ TheErrorCodeNames
|
static |
Definition at line 32 of file ErrorDetail.cc.
Referenced by ErrorCodeFromName(), and ErrorNameFromCode().