Classes | |
| class | Bio |
| BIO source and sink node, handling socket I/O and monitoring SSL state. More... | |
| class | CertificateDb |
| class | CertificateProperties |
| class | CertificateStorageAction |
| class | CertValidationHelper |
| class | CertValidationMsg |
| class | CertValidationRequest |
| class | CertValidationResponse |
| class | ClientBio |
| class | Config |
| class | CrtdMessage |
| class | ErrorDetailEntry |
| class | ErrorDetailFile |
| manages error detail templates More... | |
| class | ErrorDetailsList |
| class | ErrorDetailsManager |
| class | GeneralNameMatcher |
| an algorithm for checking/testing/comparing X.509 certificate names More... | |
| class | GeneratorRequest |
| A pending Ssl::Helper request, combining the original and collapsed queries. More... | |
| class | GeneratorRequestor |
| Initiator of an Ssl::Helper query. More... | |
| class | GlobalContextStorage |
| Class for storing/manipulating LocalContextStorage per local listening address/port. More... | |
| class | Helper |
| class | IcapPeerConnector |
| A simple PeerConnector for Secure ICAP services. No SslBump capabilities. More... | |
| class | Lock |
| maintains an exclusive blocking file-based lock More... | |
| class | Locker |
| an exception-safe way to obtain and release a lock More... | |
| class | OneNameMatcher |
| GeneralNameMatcher for matching a single AnyP::Host given at construction time. More... | |
| class | PeekingPeerConnector |
| A PeerConnector for HTTP origin servers. Capable of SslBumping. More... | |
| class | ServerBio |
| class | ServerBump |
| class | VerifyCallbackParameters |
Typedefs | |
| using | LocalContextStorage = ClpMap< SBuf, Security::ContextPointer, MemoryUsedByContext > |
| typedef std::unique_ptr< STACK_OF(X509), sk_X509_free_wrapper > | X509_STACK_Pointer |
| typedef std::unique_ptr< BIGNUM, HardFun< void, BIGNUM *, &BN_free > > | BIGNUM_Pointer |
| typedef std::unique_ptr< BIO, HardFun< void, BIO *, &BIO_vfree > > | BIO_Pointer |
| typedef std::unique_ptr< ASN1_INTEGER, HardFun< void, ASN1_INTEGER *, &ASN1_INTEGER_free > > | ASN1_INT_Pointer |
| typedef std::unique_ptr< ASN1_OCTET_STRING, HardFun< void, ASN1_OCTET_STRING *, &ASN1_OCTET_STRING_free > > | ASN1_OCTET_STRING_Pointer |
| typedef std::unique_ptr< TXT_DB, HardFun< void, TXT_DB *, &TXT_DB_free > > | TXT_DB_Pointer |
| typedef std::unique_ptr< X509_NAME, HardFun< void, X509_NAME *, &X509_NAME_free > > | X509_NAME_Pointer |
| using | EVP_PKEY_CTX_Pointer = std::unique_ptr< EVP_PKEY_CTX, HardFun< void, EVP_PKEY_CTX *, &EVP_PKEY_CTX_free > > |
| typedef std::unique_ptr< X509_REQ, HardFun< void, X509_REQ *, &X509_REQ_free > > | X509_REQ_Pointer |
| typedef std::unique_ptr< AUTHORITY_KEYID, HardFun< void, AUTHORITY_KEYID *, &AUTHORITY_KEYID_free > > | AUTHORITY_KEYID_Pointer |
| typedef std::unique_ptr< STACK_OF(GENERAL_NAME), sk_GENERAL_NAME_free_wrapper > | GENERAL_NAME_STACK_Pointer |
| typedef std::unique_ptr< GENERAL_NAME, HardFun< void, GENERAL_NAME *, &GENERAL_NAME_free > > | GENERAL_NAME_Pointer |
| typedef std::unique_ptr< X509_EXTENSION, HardFun< void, X509_EXTENSION *, &X509_EXTENSION_free > > | X509_EXTENSION_Pointer |
| typedef std::unique_ptr< X509_STORE_CTX, HardFun< void, X509_STORE_CTX *, &X509_STORE_CTX_free > > | X509_STORE_CTX_Pointer |
| using | UniqueCString = std::unique_ptr< char, HardFun< void, char *, &OPENSSL_free_for_c_strings > > |
| typedef std::unordered_map< SBuf, GeneratorRequest * > | GeneratorRequests |
| Ssl::Helper query:GeneratorRequest map. More... | |
| using | BumpStep = XactionStep |
| typedef RefCount< CertValidationResponse > | CertValidationResponsePointer |
| typedef const char * | GETX509ATTRIBUTE(X509 *, const char *) |
| typedef SBuf | GETX509PEM(X509 *) |
| typedef std::multimap< SBuf, X509 * > | CertsIndexedList |
| certificates indexed by issuer name More... | |
| using | GeneralName = AnyP::Host |
Enumerations | |
| enum | CertSignAlgorithm { algSignTrusted = 0, algSignUntrusted, algSignSelf, algSignEnd } |
| enum | CertAdaptAlgorithm { algSetValidAfter = 0, algSetValidBefore, algSetCommonName, algSetEnd } |
| enum | BumpMode { bumpNone = 0, bumpClientFirst, bumpServerFirst, bumpPeek, bumpStare, bumpBump, bumpSplice, bumpTerminate, bumpEnd } |
Functions | |
| uint64_t | MemoryUsedByContext (const Security::ContextPointer &) |
| GlobalContextStorage & | TheGlobalContextStorage () |
| Global cache for store all SSL server certificates. More... | |
| bool | ParseErrorString (const char *name, Security::Errors &) |
| Security::ErrorCode | GetErrorCode (const char *name) |
| The Security::ErrorCode code of the error described by "name". More... | |
| const char * | GetErrorName (const Security::ErrorCode code, const bool prefixRawCode=false) |
| std::optional< SBuf > | GetErrorDescr (Security::ErrorCode) |
| bool | ErrorIsOptional (const char *name) |
| void | errorDetailInitialize () |
| void | errorDetailClean () |
| sk_dtor_wrapper (sk_X509, STACK_OF(X509) *, X509_free) | |
| sk_dtor_wrapper (sk_GENERAL_NAME, STACK_OF(GENERAL_NAME) *, GENERAL_NAME_free) | |
| void | OPENSSL_free_for_c_strings (char *const string) |
| void | ForgetErrors () |
| Clear any errors accumulated by OpenSSL in its global storage. More... | |
| std::ostream & | ReportAndForgetErrors (std::ostream &) |
| bool | writeCertAndPrivateKeyToMemory (Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey, std::string &bufferToWrite) |
| bool | appendCertToMemory (Security::CertPointer const &cert, std::string &bufferToWrite) |
| bool | readCertAndPrivateKeyFromMemory (Security::CertPointer &cert, Security::PrivateKeyPointer &pkey, char const *bufferToRead) |
| BIO_Pointer | ReadOnlyBioTiedTo (const char *) |
| void | ReadPrivateKeyFromFile (char const *keyFilename, Security::PrivateKeyPointer &pkey, pem_password_cb *passwd_callback) |
| bool | OpenCertsFileForReading (BIO_Pointer &bio, const char *filename) |
| Security::CertPointer | ReadCertificate (const BIO_Pointer &) |
| Security::CertPointer | ReadOptionalCertificate (const BIO_Pointer &) |
| bool | ReadPrivateKey (BIO_Pointer &bio, Security::PrivateKeyPointer &pkey, pem_password_cb *passwd_callback) |
| bool | OpenCertsFileForWriting (BIO_Pointer &bio, const char *filename) |
| bool | WriteX509Certificate (BIO_Pointer &bio, const Security::CertPointer &cert) |
| bool | WritePrivateKey (BIO_Pointer &bio, const Security::PrivateKeyPointer &pkey) |
| UniqueCString | OneLineSummary (X509_NAME &) |
| a RAII wrapper for the memory-allocating flavor of X509_NAME_oneline() More... | |
| const char * | certSignAlgorithm (int sg) |
| CertSignAlgorithm | certSignAlgorithmId (const char *sg) |
| const char * | sslCertAdaptAlgoritm (int alg) |
| std::string & | OnDiskCertificateDbKey (const CertificateProperties &) |
| bool | generateSslCertificate (Security::CertPointer &cert, Security::PrivateKeyPointer &pkey, CertificateProperties const &properties) |
| bool | sslDateIsInTheFuture (char const *date) |
| bool | certificateMatchesProperties (X509 *peer_cert, CertificateProperties const &properties) |
| const char * | CommonHostName (X509 *x509) |
| SBuf | AsnToSBuf (const ASN1_STRING &) |
| converts ASN1_STRING to SBuf More... | |
| std::optional< AnyP::Host > | ParseCommonNameAt (X509_NAME &, int) |
| interprets X.509 Subject or Issuer name entry (at the given position) as CN More... | |
| std::optional< AnyP::Host > | ParseAsSimpleDomainNameOrIp (const SBuf &) |
| const char * | getOrganization (X509 *x509) |
| bool | CertificatesCmp (const Security::CertPointer &cert1, const Security::CertPointer &cert2) |
| const ASN1_BIT_STRING * | X509_get_signature (const Security::CertPointer &) |
| static void | HandleGeneratorReply (void *data, const ::Helper::Reply &reply) |
| receives helper response More... | |
| static GeneratorRequests & | TheGeneratorRequests () |
| pending Ssl::Helper requests (to all certificate generator helpers combined) More... | |
| static CertsIndexedList & | SquidUntrustedCerts () |
| int | AskPasswordCb (char *buf, int size, int rwflag, void *userdata) |
| void | Initialize () |
| bool | InitServerContext (Security::ContextPointer &, AnyP::PortCfg &) |
| initialize a TLS server context with OpenSSL specific settings More... | |
| bool | InitClientContext (Security::ContextPointer &, Security::PeerOptions &, Security::ParsedPortFlags) |
| initialize a TLS client context with OpenSSL specific settings More... | |
| void | ConfigurePeerVerification (Security::ContextPointer &, const Security::ParsedPortFlags) |
| set the certificate verify callback for a context More... | |
| void | DisablePeerVerification (Security::ContextPointer &) |
| void | MaybeSetupRsaCallback (Security::ContextPointer &) |
| if required, setup callback for generating ephemeral RSA keys More... | |
| const char * | bumpMode (int bm) |
| bool | loadCerts (const char *certsFile, Ssl::CertsIndexedList &list) |
| bool | loadSquidUntrusted (const char *path) |
| void | unloadSquidUntrusted () |
| void | SSL_add_untrusted_cert (SSL *ssl, X509 *cert) |
| const char * | findIssuerUri (X509 *cert) |
| finds certificate issuer URI in the Authority Info Access extension More... | |
| Security::CertPointer | findIssuerCertificate (X509 *cert, const STACK_OF(X509) *serverCertificates, const Security::ContextPointer &context) |
| bool | missingChainCertificatesUrls (std::queue< SBuf > &URIs, const STACK_OF(X509) &serverCertificates, const Security::ContextPointer &context) |
| bool | generateUntrustedCert (Security::CertPointer &untrustedCert, Security::PrivateKeyPointer &untrustedPkey, Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey) |
| Security::ContextPointer | GenerateSslContext (CertificateProperties const &, Security::ServerOptions &, bool trusted) |
| bool | verifySslCertificate (const Security::ContextPointer &, CertificateProperties const &) |
| Security::ContextPointer | GenerateSslContextUsingPkeyAndCertFromMemory (const char *data, Security::ServerOptions &, bool trusted) |
| Security::ContextPointer | createSSLContext (Security::CertPointer &x509, Security::PrivateKeyPointer &pkey, Security::ServerOptions &) |
| Create SSL context and apply ssl certificate and private key to it. More... | |
| void | chainCertificatesToSSLContext (Security::ContextPointer &, Security::ServerOptions &) |
| void | configureUnconfiguredSslContext (Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &) |
| bool | configureSSL (SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port) |
| bool | configureSSLUsingPkeyAndCertFromMemory (SSL *ssl, const char *data, AnyP::PortCfg &port) |
| void | useSquidUntrusted (SSL_CTX *sslContext) |
| bool | HasMatchingSubjectName (X509 &, const GeneralNameMatcher &) |
| bool | HasSubjectName (X509 &, const AnyP::Host &) |
| whether at least one common or alternate subject name matches the given one More... | |
| int | asn1timeToString (ASN1_TIME *tm, char *buf, int len) |
| void | setClientSNI (SSL *ssl, const char *fqdn) |
| void | InRamCertificateDbKey (const Ssl::CertificateProperties &certProperties, SBuf &key) |
| BIO * | BIO_new_SBuf (SBuf *buf) |
| bool | VerifyConnCertificates (Security::Connection &, const Ssl::X509_STACK_Pointer &extraCerts) |
Variables | |
| Config | TheConfig |
| const char * | CertSignAlgorithmStr [] |
| const char * | CertAdaptAlgorithmStr [] |
| GETX509ATTRIBUTE | GetX509UserAttribute |
| GETX509ATTRIBUTE | GetX509CAAttribute |
| GETX509PEM | GetX509PEM |
| GETX509ATTRIBUTE | GetX509Fingerprint |
| const EVP_MD * | DefaultSignHash = nullptr |
| std::vector< const char * > | BumpModeStr |
Typedef Documentation
◆ ASN1_INT_Pointer
| typedef std::unique_ptr<ASN1_INTEGER, HardFun<void, ASN1_INTEGER*, &ASN1_INTEGER_free> > Ssl::ASN1_INT_Pointer |
◆ ASN1_OCTET_STRING_Pointer
| typedef std::unique_ptr<ASN1_OCTET_STRING, HardFun<void, ASN1_OCTET_STRING*, &ASN1_OCTET_STRING_free> > Ssl::ASN1_OCTET_STRING_Pointer |
◆ AUTHORITY_KEYID_Pointer
| typedef std::unique_ptr<AUTHORITY_KEYID, HardFun<void, AUTHORITY_KEYID*, &AUTHORITY_KEYID_free> > Ssl::AUTHORITY_KEYID_Pointer |
◆ BIGNUM_Pointer
| typedef std::unique_ptr<BIGNUM, HardFun<void, BIGNUM*, &BN_free> > Ssl::BIGNUM_Pointer |
◆ BIO_Pointer
| typedef std::unique_ptr<BIO, HardFun<void, BIO*, &BIO_vfree> > Ssl::BIO_Pointer |
◆ BumpStep
| using Ssl::BumpStep = typedef XactionStep |
Definition at line 28 of file ServerBump.h.
◆ CertsIndexedList
| typedef std::multimap< SBuf, X509 * > Ssl::CertsIndexedList |
◆ CertValidationResponsePointer
◆ EVP_PKEY_CTX_Pointer
| using Ssl::EVP_PKEY_CTX_Pointer = typedef std::unique_ptr<EVP_PKEY_CTX, HardFun<void, EVP_PKEY_CTX*, &EVP_PKEY_CTX_free> > |
◆ GENERAL_NAME_Pointer
| typedef std::unique_ptr<GENERAL_NAME, HardFun<void, GENERAL_NAME*, &GENERAL_NAME_free> > Ssl::GENERAL_NAME_Pointer |
◆ GENERAL_NAME_STACK_Pointer
| typedef std::unique_ptr<STACK_OF(GENERAL_NAME), sk_GENERAL_NAME_free_wrapper> Ssl::GENERAL_NAME_STACK_Pointer |
◆ GeneralName
| using Ssl::GeneralName = typedef AnyP::Host |
A successfully extracted/parsed certificate "name" field. See RFC 5280 GeneralName and X520CommonName types for examples of information sources. For now, we only support the same two name variants as AnyP::Host:
- An IPv4 or an IPv6 address. This info comes (with very little validation) from RFC 5280 "iPAddress" variant of a subjectAltName
- A domain name or domain name wildcard (e.g., *.example.com). This info comes (with very little validation) from a source like these two:
- RFC 5280 "dNSName" variant of a subjectAltName extension (GeneralName index is 2, underlying value type is IA5String);
- RFC 5280 X520CommonName component of a Subject distinguished name field (underlying value type is DirectoryName).
◆ GeneratorRequests
| typedef std::unordered_map<SBuf, GeneratorRequest*> Ssl::GeneratorRequests |
◆ GETX509PEM
◆ LocalContextStorage
| using Ssl::LocalContextStorage = typedef ClpMap<SBuf, Security::ContextPointer, MemoryUsedByContext> |
Definition at line 51 of file context_storage.h.
◆ TXT_DB_Pointer
| typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free> > Ssl::TXT_DB_Pointer |
◆ UniqueCString
| using Ssl::UniqueCString = typedef std::unique_ptr<char, HardFun<void, char *, &OPENSSL_free_for_c_strings> > |
◆ X509_EXTENSION_Pointer
| typedef std::unique_ptr<X509_EXTENSION, HardFun<void, X509_EXTENSION*, &X509_EXTENSION_free> > Ssl::X509_EXTENSION_Pointer |
◆ X509_NAME_Pointer
| typedef std::unique_ptr<X509_NAME, HardFun<void, X509_NAME*, &X509_NAME_free> > Ssl::X509_NAME_Pointer |
◆ X509_REQ_Pointer
| typedef std::unique_ptr<X509_REQ, HardFun<void, X509_REQ*, &X509_REQ_free> > Ssl::X509_REQ_Pointer |
◆ X509_STACK_Pointer
| typedef std::unique_ptr<STACK_OF(X509), sk_X509_free_wrapper> Ssl::X509_STACK_Pointer |
◆ X509_STORE_CTX_Pointer
| typedef std::unique_ptr<X509_STORE_CTX, HardFun<void, X509_STORE_CTX *, &X509_STORE_CTX_free> > Ssl::X509_STORE_CTX_Pointer |
Function Documentation
◆ AskPasswordCb()
callback for receiving password to access password secured PEM files XXX: Requires SSL_CTX_set_default_passwd_cb_userdata()!
Definition at line 131 of file support.cc.
References size.
Referenced by Security::KeyData::loadX509PrivateKeyFromFile(), and ssl_ask_password().
◆ AsnToSBuf()
| SBuf Ssl::AsnToSBuf | ( | const ASN1_STRING & | buffer | ) |
Definition at line 473 of file gadgets.cc.
Referenced by ParseSubjectAltName().
◆ ConfigurePeerVerification()
| void Ssl::ConfigurePeerVerification | ( | Security::ContextPointer & | ctx, |
| const Security::ParsedPortFlags | flags | ||
| ) |
Definition at line 501 of file support.cc.
References DBG_IMPORTANT, DBG_PARSE_NOTE, debugs, SSL_FLAG_CONDITIONAL_AUTH, SSL_FLAG_DELAYED_AUTH, SSL_FLAG_DONT_VERIFY_PEER, and ssl_verify_cb().
Referenced by InitClientContext(), and Security::ServerOptions::updateContextClientCa().
◆ DisablePeerVerification()
| void Ssl::DisablePeerVerification | ( | Security::ContextPointer & | ctx | ) |
Definition at line 528 of file support.cc.
References DBG_PARSE_NOTE, and debugs.
Referenced by Security::ServerOptions::updateContextClientCa().
◆ errorDetailClean()
| void Ssl::errorDetailClean | ( | ) |
Definition at line 24 of file ErrorDetailManager.cc.
References Ssl::ErrorDetailsManager::Shutdown().
Referenced by errorClean().
◆ errorDetailInitialize()
| void Ssl::errorDetailInitialize | ( | ) |
Definition at line 19 of file ErrorDetailManager.cc.
References Ssl::ErrorDetailsManager::GetInstance().
Referenced by errorInitialize().
◆ ErrorIsOptional()
| bool Ssl::ErrorIsOptional | ( | const char * | name | ) |
- Returns
- true if the TLS error is optional and may not be supported by current squid version
Definition at line 149 of file ErrorDetail.cc.
References OptionalSslErrors.
Referenced by Ssl::ErrorDetailFile::parse().
◆ findIssuerCertificate()
| Security::CertPointer Ssl::findIssuerCertificate | ( | X509 * | cert, |
| const STACK_OF(X509) * | serverCertificates, | ||
| const Security::ContextPointer & | context | ||
| ) |
Searches serverCertificates and local databases for the cert issuer.
- Parameters
-
context where to retrieve the configured CA's db; may be nil
- Returns
- the found issuer certificate or nil
Definition at line 1303 of file support.cc.
References findCertIssuerFast(), findIssuerInCaDb(), Must, sk_x509_findIssuer(), and SquidUntrustedCerts().
Referenced by Security::PeerConnector::certDownloadingDone(), completeIssuers(), and missingChainCertificatesUrls().
◆ findIssuerUri()
| const char * Ssl::findIssuerUri | ( | X509 * | cert | ) |
Definition at line 1186 of file support.cc.
References ASN1_STRING_get0_data(), MAX_URL, and xstrncpy().
Referenced by Security::PeerConnector::certDownloadingDone(), and missingChainCertificatesUrls().
◆ ForgetErrors()
| void Ssl::ForgetErrors | ( | ) |
Definition at line 19 of file gadgets.cc.
References debugs, and ReportAndForgetErrors().
Referenced by Security::ForgetErrors(), Security::IssuedBy(), Security::IssuerName(), Security::ServerOptions::loadDhParams(), ReadOptionalCertificate(), Security::SubjectName(), and Security::ServerOptions::updateContextEecdh().
◆ GetErrorCode()
|
inline |
Definition at line 30 of file ErrorDetail.h.
References Security::ErrorCodeFromName().
Referenced by Ssl::ErrorDetailFile::parse(), ParseErrorString(), and Ssl::CertValidationMsg::tryParsingResponse().
◆ GetErrorDescr()
| std::optional< SBuf > Ssl::GetErrorDescr | ( | Security::ErrorCode | value | ) |
a short description of the given TLS error known to Squid (or, if the error is unknown, nothing)
Definition at line 159 of file ErrorDetail.cc.
Referenced by ssl_verify_cb().
◆ GetErrorName()
|
inline |
- Returns
- string representation of a known TLS error (or a raw error code)
- Parameters
-
prefixRawCode whether to prefix raw codes with "SSL_ERR="
Definition at line 38 of file ErrorDetail.h.
References code, and Security::ErrorNameFromCode().
Referenced by Format::Format::assemble(), Ssl::CertValidationMsg::composeRequest(), and ACLSslErrorData::dump().
◆ HandleGeneratorReply()
|
static |
Definition at line 157 of file helper.cc.
References assert, cbdata::data, debugs, Ssl::GeneratorRequest::query, Ssl::GeneratorRequest::requestors, and TheGeneratorRequests().
Referenced by Ssl::Helper::Submit().
◆ HasMatchingSubjectName()
| bool Ssl::HasMatchingSubjectName | ( | X509 & | cert, |
| const GeneralNameMatcher & | matcher | ||
| ) |
Determines whether at least one common or alternate subject names matches. The first match (if any) terminates the search.
Definition at line 307 of file support.cc.
References Assure, debugs, Ssl::GeneralNameMatcher::match(), ParseCommonNameAt(), ParseSubjectAltName(), and STACK_OF().
Referenced by HasSubjectName(), Acl::ServerNameCheck::match(), Security::ErrorDetail::printCommonName(), and STUB_RETVAL().
◆ HasSubjectName()
| bool Ssl::HasSubjectName | ( | X509 & | cert, |
| const AnyP::Host & | host | ||
| ) |
Definition at line 338 of file support.cc.
References HasMatchingSubjectName().
Referenced by Acl::ServerNameCheck::match(), ConnStateData::serveDelayedError(), ssl_verify_cb(), and STUB_RETVAL().
◆ InitClientContext()
| bool Ssl::InitClientContext | ( | Security::ContextPointer & | ctx, |
| Security::PeerOptions & | peer, | ||
| Security::ParsedPortFlags | fl | ||
| ) |
Definition at line 806 of file support.cc.
References SBuf::c_str(), Security::PeerOptions::certs, ConfigurePeerVerification(), debugs, Security::ErrorString(), fatalf(), SBuf::isEmpty(), keys, MaybeSetupRsaCallback(), ssl_ask_password(), and Security::PeerOptions::sslCipher.
Referenced by Security::PeerOptions::createClientContext().
◆ Initialize()
| void Ssl::Initialize | ( | ) |
initialize the SSL library global state. call before generating any SSL context
Definition at line 747 of file support.cc.
References DBG_IMPORTANT, DBG_PARSE_NOTE, debugs, DefaultSignHash, Security::ErrorString(), fatalf(), Here, SQUID_OPENSSL_init_ssl(), SQUID_SSL_SIGN_HASH_IF_NONE, ssl_ctx_ex_index_dont_verify_domain, ssl_dupAclChecklist(), ssl_ex_index_cert_error_check, ssl_ex_index_server, ssl_ex_index_ssl_cert_chain, ssl_ex_index_ssl_error_detail, ssl_ex_index_ssl_errors, ssl_ex_index_ssl_peeked_cert, ssl_ex_index_ssl_validation_counter, ssl_ex_index_verify_callback_parameters, ssl_free_CertChain(), ssl_free_ErrorDetail(), ssl_free_int(), ssl_free_SBuf(), ssl_free_SslErrors(), ssl_free_VerifyCallbackParameters(), ssl_free_X509(), and ssl_freeAclChecklist().
Referenced by Security::PeerOptions::createBlankContext(), and Security::ServerOptions::createBlankContext().
◆ InitServerContext()
| bool Ssl::InitServerContext | ( | Security::ContextPointer & | ctx, |
| AnyP::PortCfg & | |||
| ) |
Definition at line 797 of file support.cc.
◆ MaybeSetupRsaCallback()
| void Ssl::MaybeSetupRsaCallback | ( | Security::ContextPointer & | ctx | ) |
Definition at line 238 of file support.cc.
References debugs.
Referenced by InitClientContext(), and Security::ServerOptions::updateContextConfig().
◆ MemoryUsedByContext()
|
inline |
Definition at line 48 of file context_storage.h.
◆ missingChainCertificatesUrls()
| bool Ssl::missingChainCertificatesUrls | ( | std::queue< SBuf > & | URIs, |
| const STACK_OF(X509) & | serverCertificates, | ||
| const Security::ContextPointer & | context | ||
| ) |
Fill URIs queue with the uris of missing certificates from serverCertificate chain if this information provided by Authority Info Access.
- Returns
- whether at least one URI is known, including previously known ones
Definition at line 1329 of file support.cc.
References debugs, findIssuerCertificate(), and findIssuerUri().
Referenced by Security::PeerConnector::computeMissingCertificateUrls().
◆ OneLineSummary()
| Ssl::UniqueCString Ssl::OneLineSummary | ( | X509_NAME & | name | ) |
Definition at line 879 of file gadgets.cc.
Referenced by Ssl::CertificateDb::addCertAndPrivateKey(), Security::IssuerName(), and Security::SubjectName().
◆ OPENSSL_free_for_c_strings()
|
inline |
◆ ParseAsSimpleDomainNameOrIp()
| std::optional< AnyP::Host > Ssl::ParseAsSimpleDomainNameOrIp | ( | const SBuf & | text | ) |
interprets the given buffer as either a textual representation of an IP address (if possible) or a domain name without wildcard support (otherwise)
Definition at line 496 of file gadgets.cc.
References Ip::Address::Parse(), AnyP::Host::ParseIp(), AnyP::Host::ParseSimpleDomainName(), and text.
Referenced by ParseCommonNameAt(), and ssl_verify_cb().
◆ ParseCommonNameAt()
| std::optional< AnyP::Host > Ssl::ParseCommonNameAt | ( | X509_NAME & | name, |
| int | cnIndex | ||
| ) |
Definition at line 504 of file gadgets.cc.
References debugs, ParseAsSimpleDomainNameOrIp(), and ParseAsUtf8().
Referenced by addAltNameWithSubjectCn(), and HasMatchingSubjectName().
◆ ParseErrorString()
| bool Ssl::ParseErrorString | ( | const char * | name, |
| Security::Errors & | errors | ||
| ) |
Converts user-friendly error "name" into an Security::ErrorCode and adds it to the provided container (using emplace). This function can handle numeric error numbers as well as names.
Definition at line 111 of file ErrorDetail.cc.
References assert, fatalf(), GetErrorCode(), loadSslErrorShortcutsMap(), SQUID_TLS_ERR_END, SQUID_TLS_ERR_OFFSET, TheSslErrorShortcuts, and xisdigit.
Referenced by ACLSslErrorData::parse().
◆ ReadCertificate()
| Security::CertPointer Ssl::ReadCertificate | ( | const BIO_Pointer & | bio | ) |
Reads and returns a certificate using the given OpenSSL BIO. Never returns a nil pointer.
Definition at line 816 of file gadgets.cc.
References Here, and ReadOptionalCertificate().
Referenced by Security::KeyData::loadCertificates(), Ssl::CrtdMessage::parseRequest(), readCertAndPrivateKeyFromMemory(), Ssl::CertificateDb::ReadEntry(), and Ssl::CertValidationMsg::tryParsingResponse().
◆ ReadOnlyBioTiedTo()
| Ssl::BIO_Pointer Ssl::ReadOnlyBioTiedTo | ( | const char * | bufferToRead | ) |
Creates and returns a BIO for reading from the given c-string. The returned BIO lifetime must not exceed that of the given c-string!
Definition at line 172 of file gadgets.cc.
References Security::ForgetErrors(), Here, and ThrowErrors().
Referenced by Ssl::CrtdMessage::parseRequest(), and Ssl::CertValidationMsg::tryParsingResponse().
◆ ReadOptionalCertificate()
| Security::CertPointer Ssl::ReadOptionalCertificate | ( | const BIO_Pointer & | bio | ) |
Reads and returns a certificate using the given OpenSSL BIO.
- Returns
- a nil pointer if the given BIO is empty or exhausted
Definition at line 791 of file gadgets.cc.
References Assure, ForgetErrors(), Here, and ThrowErrors().
Referenced by Security::KeyData::loadCertificates(), loadCerts(), ReadCertificate(), and Ssl::CertificateDb::ReadEntry().
◆ ReportAndForgetErrors()
| std::ostream & Ssl::ReportAndForgetErrors | ( | std::ostream & | os | ) |
Manipulator to report errors accumulated by OpenSSL in its global storage. Each error is reported on a dedicated Debug::Extra line. Nothing is reported if there are no errors. Also clears all reported errors.
Definition at line 36 of file gadgets.cc.
References asHex(), and Debug::Extra().
Referenced by ForgetErrors(), Security::IssuedBy(), Security::IssuerName(), Security::ServerOptions::loadDhParams(), ParseAsUtf8(), Security::SubjectName(), ThrowErrors(), and Security::ServerOptions::updateContextEecdh().
◆ sk_dtor_wrapper() [1/2]
| Ssl::sk_dtor_wrapper | ( | sk_GENERAL_NAME | , |
| STACK_OF(GENERAL_NAME) * | , | ||
| GENERAL_NAME_free | |||
| ) |
◆ sk_dtor_wrapper() [2/2]
| Ssl::sk_dtor_wrapper | ( | sk_X509 | , |
| STACK_OF(X509) * | , | ||
| X509_free | |||
| ) |
std::unique_ptr typedefs for common SSL objects
◆ SquidUntrustedCerts()
|
static |
Definition at line 75 of file support.cc.
Referenced by completeIssuers(), findIssuerCertificate(), loadSquidUntrusted(), unloadSquidUntrusted(), and VerifyCtxCertificates().
◆ SSL_add_untrusted_cert()
| void Ssl::SSL_add_untrusted_cert | ( | SSL * | ssl, |
| X509 * | cert | ||
| ) |
Add the certificate cert to ssl object untrusted certificates. Squid uses an attached to SSL object list of untrusted certificates, with certificates which can be used to complete incomplete chains sent by the SSL server.
◆ TheGeneratorRequests()
|
static |
Definition at line 62 of file helper.cc.
Referenced by HandleGeneratorReply(), and Ssl::Helper::Submit().
◆ TheGlobalContextStorage()
| Ssl::GlobalContextStorage & Ssl::TheGlobalContextStorage | ( | ) |
Definition at line 124 of file context_storage.cc.
Referenced by clientHttpConnectionsOpen(), Ssl::CertificateStorageAction::dump(), ConnStateData::getTlsContextFromCache(), mainReconfigureStart(), and ConnStateData::storeTlsContextToCache().
◆ VerifyConnCertificates()
| bool Ssl::VerifyConnCertificates | ( | Security::Connection & | sconn, |
| const Ssl::X509_STACK_Pointer & | extraCerts | ||
| ) |
Validates the given TLS connection server certificate chain in conjunction with a (possibly empty) set of "extra" intermediate certs. Also consults sslproxy_foreign_intermediate_certs. This is a C++/Squid-friendly wrapper of OpenSSL "verification callback function" (OpenSSL_vcb_disambiguation). OpenSSL has a similar wrapper, ssl_verify_cert_chain(), but that wrapper is not a part of the public OpenSSL API.
Definition at line 537 of file support.cc.
References debugs, SSL_get0_param(), and VerifyCtxCertificates().
Referenced by Security::PeerConnector::resumeNegotiation().
◆ X509_get_signature()
| const ASN1_BIT_STRING * Ssl::X509_get_signature | ( | const Security::CertPointer & | cert | ) |
wrapper for OpenSSL X509_get0_signature() which takes care of portability issues with older OpenSSL versions
Definition at line 1063 of file gadgets.cc.
References Security::LockingPointer< T, UnLocker, Locker >::get(), and X509_get0_signature().
Referenced by InRamCertificateDbKey(), and printX509Signature().
Variable Documentation
◆ DefaultSignHash
| const EVP_MD * Ssl::DefaultSignHash = nullptr |
Definition at line 44 of file support.cc.
Referenced by ConnStateData::buildSslCertGenerationParams(), and Initialize().
◆ TheConfig
| Ssl::Config Ssl::TheConfig |
Definition at line 12 of file Config.cc.
Referenced by Ssl::Helper::Init(), Ssl::CertValidationHelper::Init(), Security::PeerConnector::initialize(), ssl_verify_cb(), and Security::PeerConnector::sslFinalized().
Introduction
- About Squid
- Why Squid?
- Squid Developers
- How to Donate
- How to Help Out
- Getting Squid
- Squid Source Packages
- Squid Deployment Case-Studies
- Squid Software Foundation
Documentation
- Quick Setup
- Configuration:
- FAQ and Wiki
- Guide Books:
- Non-English
- More...
Support
- Security Advisories
- Bugzilla Database
- Mailing lists
- Contacting us
- Commercial services
- Project Sponsors
- Squid-based products