Classes | |
| class | IcapPeerConnector |
| A simple PeerConnector for Secure ICAP services. No SslBump capabilities. More... | |
| class | Lock |
| maintains an exclusive blocking file-based lock More... | |
| class | Locker |
| an exception-safe way to obtain and release a lock More... | |
| class | CertificateDb |
| class | Bio |
| BIO source and sink node, handling socket I/O and monitoring SSL state. More... | |
| class | ClientBio |
| class | ServerBio |
| class | CertValidationRequest |
| class | CertValidationResponse |
| class | CertValidationMsg |
| class | Config |
| class | CertificateStorageAction |
| class | GlobalContextStorage |
| Class for storing/manipulating LocalContextStorage per local listening address/port. More... | |
| class | CrtdMessage |
| class | ErrorDetail |
| class | ErrorDetailFile |
| manages error detail templates More... | |
| class | ErrorDetailEntry |
| class | ErrorDetailsList |
| class | ErrorDetailsManager |
| class | CertificateProperties |
| class | GeneratorRequestor |
| Initiator of an Ssl::Helper query. More... | |
| class | GeneratorRequest |
| A pending Ssl::Helper request, combining the original and collapsed queries. More... | |
| class | Helper |
| class | CertValidationHelper |
| class | PeekingPeerConnector |
| A PeerConnector for HTTP origin servers. Capable of SslBumping. More... | |
| class | ServerBump |
Typedefs | |
| typedef LruMap< SBuf, Security::ContextPointer, SSL_CTX_SIZE > | LocalContextStorage |
| typedef SSL_METHOD * | ContextMethod |
| typedef std::unique_ptr < STACK_OF(X509), sk_X509_free_wrapper > | X509_STACK_Pointer |
| typedef std::unique_ptr < BIGNUM, HardFun< void, BIGNUM *,&BN_free > > | BIGNUM_Pointer |
| typedef std::unique_ptr< BIO, HardFun< void, BIO *,&BIO_vfree > > | BIO_Pointer |
| typedef std::unique_ptr < ASN1_INTEGER, HardFun< void, ASN1_INTEGER *,&ASN1_INTEGER_free > > | ASN1_INT_Pointer |
| typedef std::unique_ptr < ASN1_OCTET_STRING, HardFun < void, ASN1_OCTET_STRING *,&ASN1_OCTET_STRING_free > > | ASN1_OCTET_STRING_Pointer |
| typedef std::unique_ptr < TXT_DB, HardFun< void, TXT_DB *,&TXT_DB_free > > | TXT_DB_Pointer |
| typedef std::unique_ptr < X509_NAME, HardFun< void, X509_NAME *,&X509_NAME_free > > | X509_NAME_Pointer |
| typedef std::unique_ptr< RSA, HardFun< void, RSA *,&RSA_free > > | RSA_Pointer |
| typedef std::unique_ptr < X509_REQ, HardFun< void, X509_REQ *,&X509_REQ_free > > | X509_REQ_Pointer |
| typedef std::unique_ptr < AUTHORITY_KEYID, HardFun < void, AUTHORITY_KEYID *,&AUTHORITY_KEYID_free > > | AUTHORITY_KEYID_Pointer |
| typedef std::unique_ptr < STACK_OF(GENERAL_NAME), sk_GENERAL_NAME_free_wrapper > | GENERAL_NAME_STACK_Pointer |
| typedef std::unique_ptr < GENERAL_NAME, HardFun< void, GENERAL_NAME *,&GENERAL_NAME_free > > | GENERAL_NAME_Pointer |
| typedef std::unique_ptr < X509_EXTENSION, HardFun < void, X509_EXTENSION *,&X509_EXTENSION_free > > | X509_EXTENSION_Pointer |
| typedef std::unordered_map < SBuf, GeneratorRequest * > | GeneratorRequests |
| Ssl::Helper query:GeneratorRequest map. More... | |
| typedef RefCount < CertValidationResponse > | CertValidationResponsePointer |
| typedef char const * | GETX509ATTRIBUTE (X509 *, const char *) |
| typedef std::multimap< SBuf, X509 * > | CertsIndexedList |
| certificates indexed by issuer name More... | |
Enumerations | |
| enum | CertSignAlgorithm { algSignTrusted = 0, algSignUntrusted, algSignSelf, algSignEnd } |
| enum | CertAdaptAlgorithm { algSetValidAfter = 0, algSetValidBefore, algSetCommonName, algSetEnd } |
| enum | BumpMode { bumpNone = 0, bumpClientFirst, bumpServerFirst, bumpPeek, bumpStare, bumpBump, bumpSplice, bumpTerminate, bumpEnd } |
| enum | BumpStep { bumpStep1, bumpStep2, bumpStep3 } |
Functions | |
| bool | ParseErrorString (const char *name, Security::Errors &) |
| Security::ErrorCode | GetErrorCode (const char *name) |
| The Security::ErrorCode code of the error described by "name". More... | |
| const char * | GetErrorName (Security::ErrorCode value) |
| The string representation of the TLS error "value". More... | |
| const char * | GetErrorDescr (Security::ErrorCode value) |
| A short description of the TLS error "value". More... | |
| bool | ErrorIsOptional (const char *name) |
| void | errorDetailInitialize () |
| void | errorDetailClean () |
| sk_dtor_wrapper (sk_X509, STACK_OF(X509)*, X509_free) | |
| sk_dtor_wrapper (sk_GENERAL_NAME, STACK_OF(GENERAL_NAME)*, GENERAL_NAME_free) | |
| EVP_PKEY * | createSslPrivateKey () |
| bool | writeCertAndPrivateKeyToMemory (Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey, std::string &bufferToWrite) |
| bool | appendCertToMemory (Security::CertPointer const &cert, std::string &bufferToWrite) |
| bool | readCertAndPrivateKeyFromMemory (Security::CertPointer &cert, Security::PrivateKeyPointer &pkey, char const *bufferToRead) |
| bool | readCertFromMemory (Security::CertPointer &cert, char const *bufferToRead) |
| void | ReadPrivateKeyFromFile (char const *keyFilename, Security::PrivateKeyPointer &pkey, pem_password_cb *passwd_callback) |
| bool | OpenCertsFileForReading (BIO_Pointer &bio, const char *filename) |
| bool | ReadX509Certificate (BIO_Pointer &bio, Security::CertPointer &cert) |
| bool | ReadPrivateKey (BIO_Pointer &bio, Security::PrivateKeyPointer &pkey, pem_password_cb *passwd_callback) |
| bool | OpenCertsFileForWriting (BIO_Pointer &bio, const char *filename) |
| bool | WriteX509Certificate (BIO_Pointer &bio, const Security::CertPointer &cert) |
| bool | WritePrivateKey (BIO_Pointer &bio, const Security::PrivateKeyPointer &pkey) |
| const char * | certSignAlgorithm (int sg) |
| CertSignAlgorithm | certSignAlgorithmId (const char *sg) |
| const char * | sslCertAdaptAlgoritm (int alg) |
| std::string & | OnDiskCertificateDbKey (const CertificateProperties &) |
| bool | generateSslCertificate (Security::CertPointer &cert, Security::PrivateKeyPointer &pkey, CertificateProperties const &properties) |
| bool | sslDateIsInTheFuture (char const *date) |
| bool | certificateMatchesProperties (X509 *peer_cert, CertificateProperties const &properties) |
| const char * | CommonHostName (X509 *x509) |
| const char * | getOrganization (X509 *x509) |
| bool | CertificatesCmp (const Security::CertPointer &cert1, const Security::CertPointer &cert2) |
| const ASN1_BIT_STRING * | X509_get_signature (const Security::CertPointer &) |
| static void | HandleGeneratorReply (void *data, const ::Helper::Reply &reply) |
| receives helper response More... | |
| int | AskPasswordCb (char *buf, int size, int rwflag, void *userdata) |
| void | Initialize () |
| bool | InitServerContext (Security::ContextPointer &, AnyP::PortCfg &) |
| initialize a TLS server context with OpenSSL specific settings More... | |
| bool | InitClientContext (Security::ContextPointer &, Security::PeerOptions &, long flags) |
| initialize a TLS client context with OpenSSL specific settings More... | |
| void | SetupVerifyCallback (Security::ContextPointer &) |
| set the certificate verify callback for a context More... | |
| void | MaybeSetupRsaCallback (Security::ContextPointer &) |
| if required, setup callback for generating ephemeral RSA keys More... | |
| const char * | bumpMode (int bm) |
| bool | loadCerts (const char *certsFile, Ssl::CertsIndexedList &list) |
| bool | loadSquidUntrusted (const char *path) |
| void | unloadSquidUntrusted () |
| void | SSL_add_untrusted_cert (SSL *ssl, X509 *cert) |
| const char * | uriOfIssuerIfMissing (X509 *cert, Security::CertList const &serverCertificates, const Security::ContextPointer &context) |
| void | missingChainCertificatesUrls (std::queue< SBuf > &URIs, Security::CertList const &serverCertificates, const Security::ContextPointer &context) |
| bool | generateUntrustedCert (Security::CertPointer &untrustedCert, Security::PrivateKeyPointer &untrustedPkey, Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey) |
| Security::ContextPointer | GenerateSslContext (CertificateProperties const &, Security::ServerOptions &, bool trusted) |
| bool | verifySslCertificate (Security::ContextPointer &, CertificateProperties const &) |
| Security::ContextPointer | GenerateSslContextUsingPkeyAndCertFromMemory (const char *data, Security::ServerOptions &, bool trusted) |
| Security::ContextPointer | createSSLContext (Security::CertPointer &x509, Security::PrivateKeyPointer &pkey, Security::ServerOptions &) |
| Create SSL context and apply ssl certificate and private key to it. More... | |
| void | chainCertificatesToSSLContext (Security::ContextPointer &, Security::ServerOptions &) |
| void | configureUnconfiguredSslContext (Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &) |
| bool | configureSSL (SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port) |
| bool | configureSSLUsingPkeyAndCertFromMemory (SSL *ssl, const char *data, AnyP::PortCfg &port) |
| void | useSquidUntrusted (SSL_CTX *sslContext) |
| int | matchX509CommonNames (X509 *peer_cert, void *check_data, int(*check_func)(void *check_data, ASN1_STRING *cn_data)) |
| bool | checkX509ServerValidity (X509 *cert, const char *server) |
| int | asn1timeToString (ASN1_TIME *tm, char *buf, int len) |
| void | setClientSNI (SSL *ssl, const char *fqdn) |
| void | InRamCertificateDbKey (const Ssl::CertificateProperties &certProperties, SBuf &key) |
| BIO * | BIO_new_SBuf (SBuf *buf) |
Variables | |
| Config | TheConfig |
| GlobalContextStorage | TheGlobalContextStorage |
| Global cache for store all SSL server certificates. More... | |
| const char * | CertSignAlgorithmStr [] |
| const char * | CertAdaptAlgorithmStr [] |
| GETX509ATTRIBUTE | GetX509UserAttribute |
| GETX509ATTRIBUTE | GetX509CAAttribute |
| GETX509ATTRIBUTE | GetX509Fingerprint |
| const EVP_MD * | DefaultSignHash = NULL |
| std::vector< const char * > | BumpModeStr |
Typedef Documentation
| typedef std::unique_ptr<ASN1_INTEGER, HardFun<void, ASN1_INTEGER*, &ASN1_INTEGER_free> > Ssl::ASN1_INT_Pointer |
| typedef std::unique_ptr<ASN1_OCTET_STRING, HardFun<void, ASN1_OCTET_STRING*, &ASN1_OCTET_STRING_free> > Ssl::ASN1_OCTET_STRING_Pointer |
| typedef std::unique_ptr<AUTHORITY_KEYID, HardFun<void, AUTHORITY_KEYID*, &AUTHORITY_KEYID_free> > Ssl::AUTHORITY_KEYID_Pointer |
| typedef std::unique_ptr<BIGNUM, HardFun<void, BIGNUM*, &BN_free> > Ssl::BIGNUM_Pointer |
| typedef std::unique_ptr<BIO, HardFun<void, BIO*, &BIO_vfree> > Ssl::BIO_Pointer |
| typedef std::multimap< SBuf, X509 * > Ssl::CertsIndexedList |
| typedef SSL_METHOD* Ssl::ContextMethod |
| typedef std::unique_ptr<GENERAL_NAME, HardFun<void, GENERAL_NAME*, &GENERAL_NAME_free> > Ssl::GENERAL_NAME_Pointer |
| typedef std::unique_ptr<STACK_OF(GENERAL_NAME), sk_GENERAL_NAME_free_wrapper> Ssl::GENERAL_NAME_STACK_Pointer |
| typedef std::unordered_map<SBuf, GeneratorRequest*> Ssl::GeneratorRequests |
Definition at line 51 of file context_storage.h.
| typedef std::unique_ptr<RSA, HardFun<void, RSA*, &RSA_free> > Ssl::RSA_Pointer |
| typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free> > Ssl::TXT_DB_Pointer |
| typedef std::unique_ptr<X509_EXTENSION, HardFun<void, X509_EXTENSION*, &X509_EXTENSION_free> > Ssl::X509_EXTENSION_Pointer |
| typedef std::unique_ptr<X509_NAME, HardFun<void, X509_NAME*, &X509_NAME_free> > Ssl::X509_NAME_Pointer |
| typedef std::unique_ptr<X509_REQ, HardFun<void, X509_REQ*, &X509_REQ_free> > Ssl::X509_REQ_Pointer |
| typedef std::unique_ptr<STACK_OF(X509), sk_X509_free_wrapper> Ssl::X509_STACK_Pointer |
Enumeration Type Documentation
| enum Ssl::BumpStep |
Function Documentation
callback for receiving password to access password secured PEM files XXX: Requires SSL_CTX_set_default_passwd_cb_userdata()!
Definition at line 63 of file support.cc.
References len.
Referenced by Security::KeyData::loadX509PrivateKeyFromFile(), and ssl_ask_password().
| void Ssl::errorDetailClean | ( | ) |
Definition at line 21 of file ErrorDetailManager.cc.
References Ssl::ErrorDetailsManager::Shutdown().
Referenced by errorClean().
| void Ssl::errorDetailInitialize | ( | ) |
Definition at line 16 of file ErrorDetailManager.cc.
References Ssl::ErrorDetailsManager::GetInstance().
Referenced by errorInitialize().
| bool Ssl::ErrorIsOptional | ( | const char * | name | ) |
- Returns
- true if the TLS error is optional and may not be supported by current squid version
Definition at line 405 of file ErrorDetail.cc.
References i, NULL, and OptionalSslErrors.
Referenced by Ssl::ErrorDetailFile::parse().
| Security::ErrorCode Ssl::GetErrorCode | ( | const char * | name | ) |
Definition at line 345 of file ErrorDetail.cc.
References i, SslErrorEntry::name, NULL, and SslErrorEntry::value.
Referenced by Ssl::ErrorDetailFile::parse(), ParseErrorString(), and Ssl::CertValidationMsg::parseResponse().
| const char * Ssl::GetErrorDescr | ( | Security::ErrorCode | value | ) |
Definition at line 415 of file ErrorDetail.cc.
Referenced by ssl_verify_cb().
| const char * Ssl::GetErrorName | ( | Security::ErrorCode | value | ) |
Definition at line 392 of file ErrorDetail.cc.
References loadSslErrorMap(), NULL, and TheSslErrors.
Referenced by Format::Format::assemble(), Ssl::CertValidationMsg::composeRequest(), ACLSslErrorData::dump(), Ssl::ErrorDetail::err_code(), and Ssl::ErrorDetailsManager::getErrorDetail().
|
static |
Definition at line 149 of file helper.cc.
References assert, cbdata::data, debugs, Ssl::GeneratorRequest::query, request(), Ssl::GeneratorRequest::requestors, and TheGeneratorRequests.
Referenced by Ssl::Helper::Submit().
| bool Ssl::InitClientContext | ( | Security::ContextPointer & | ctx, |
| Security::PeerOptions & | peer, | ||
| long | flags | ||
| ) |
Definition at line 518 of file support.cc.
References SBuf::c_str(), Security::PeerOptions::certs, DBG_IMPORTANT, debugs, Security::ErrorString(), fatalf(), SBuf::isEmpty(), keys, MaybeSetupRsaCallback(), NULL, SetupVerifyCallback(), ssl_ask_password(), SSL_FLAG_DONT_VERIFY_PEER, and Security::PeerOptions::sslCipher.
Referenced by Security::PeerOptions::createClientContext().
| void Ssl::Initialize | ( | void | ) |
initialize the SSL library global state. call before generating any SSL context
Definition at line 465 of file support.cc.
References DefaultSignHash, Security::ErrorString(), fatalf(), NULL, SQUID_SSL_SIGN_HASH_IF_NONE, ssl_ctx_ex_index_dont_verify_domain, ssl_dupAclChecklist(), ssl_ex_index_cert_error_check, ssl_ex_index_server, ssl_ex_index_ssl_cert_chain, ssl_ex_index_ssl_error_detail, ssl_ex_index_ssl_errors, ssl_ex_index_ssl_peeked_cert, ssl_ex_index_ssl_untrusted_chain, ssl_ex_index_ssl_validation_counter, ssl_free_CertChain(), ssl_free_ErrorDetail(), ssl_free_int(), ssl_free_SBuf(), ssl_free_SslErrors(), ssl_free_X509(), and ssl_freeAclChecklist().
Referenced by Security::PeerOptions::createBlankContext(), and Security::ServerOptions::createBlankContext().
| bool Ssl::InitServerContext | ( | Security::ContextPointer & | ctx, |
| AnyP::PortCfg & | port | ||
| ) |
Definition at line 509 of file support.cc.
| void Ssl::MaybeSetupRsaCallback | ( | Security::ContextPointer & | ctx | ) |
Definition at line 149 of file support.cc.
References debugs.
Referenced by InitClientContext(), and Security::ServerOptions::updateContextConfig().
| void Ssl::missingChainCertificatesUrls | ( | std::queue< SBuf > & | URIs, |
| Security::CertList const & | serverCertificates, | ||
| const Security::ContextPointer & | context | ||
| ) |
Fill URIs queue with the uris of missing certificates from serverCertificate chain if this information provided by Authority Info Access.
Definition at line 1071 of file support.cc.
References i, and uriOfIssuerIfMissing().
Referenced by Security::PeerConnector::checkForMissingCertificates().
| bool Ssl::ParseErrorString | ( | const char * | name, |
| Security::Errors & | errors | ||
| ) |
Converts user-friendly error "name" into an Security::ErrorCode and adds it to the provided container (using emplace). This function can handle numeric error numbers as well as names.
Definition at line 356 of file ErrorDetail.cc.
References assert, fatalf(), GetErrorCode(), i, loadSslErrorShortcutsMap(), NULL, SQUID_SSL_ERROR_MAX, SQUID_SSL_ERROR_MIN, TheSslErrorShortcuts, and xisdigit.
Referenced by ACLSslErrorData::parse().
| void Ssl::SetupVerifyCallback | ( | Security::ContextPointer & | ctx | ) |
Definition at line 379 of file support.cc.
References ssl_verify_cb().
Referenced by InitClientContext(), and Security::ServerOptions::updateContextClientCa().
| Ssl::sk_dtor_wrapper | ( | sk_X509 | , |
| STACK_OF(X509)* | , | ||
| X509_free | |||
| ) |
std::unique_ptr typedefs for common SSL objects
| Ssl::sk_dtor_wrapper | ( | sk_GENERAL_NAME | , |
| STACK_OF(GENERAL_NAME)* | , | ||
| GENERAL_NAME_free | |||
| ) |
| void Ssl::SSL_add_untrusted_cert | ( | SSL * | ssl, |
| X509 * | cert | ||
| ) |
Add the certificate cert to ssl object untrusted certificates. Squid uses an attached to SSL object list of untrusted certificates, with certificates which can be used to complete incomplete chains sent by the SSL server.
Definition at line 1083 of file support.cc.
References Here, ssl_ex_index_ssl_untrusted_chain, and STACK_OF().
Referenced by Security::PeerConnector::certDownloadingDone().
| const char * Ssl::uriOfIssuerIfMissing | ( | X509 * | cert, |
| Security::CertList const & | serverCertificates, | ||
| const Security::ContextPointer & | context | ||
| ) |
Searches in serverCertificates list for the cert issuer and if not found and Authority Info Access of cert provides a URI return it.
Definition at line 1050 of file support.cc.
References findCertIssuer(), findCertIssuerFast(), hasAuthorityInfoAccessCaIssuers(), issuerExistInCaDb(), and SquidUntrustedCerts.
Referenced by Security::PeerConnector::certDownloadingDone(), and missingChainCertificatesUrls().
| const ASN1_BIT_STRING * Ssl::X509_get_signature | ( | const Security::CertPointer & | cert | ) |
wrapper for OpenSSL X509_get0_signature() which takes care of portability issues with older OpenSSL versions
Definition at line 949 of file gadgets.cc.
Referenced by InRamCertificateDbKey(), and printX509Signature().
Variable Documentation
| const EVP_MD * Ssl::DefaultSignHash = NULL |
Definition at line 43 of file support.cc.
Referenced by ConnStateData::buildSslCertGenerationParams(), and Initialize().
| Ssl::Config Ssl::TheConfig |
Definition at line 12 of file Config.cc.
Referenced by Ssl::Helper::Init(), Ssl::CertValidationHelper::Init(), Security::PeerConnector::initialize(), ssl_verify_cb(), and Security::PeerConnector::sslFinalized().
| Ssl::GlobalContextStorage Ssl::TheGlobalContextStorage |
Definition at line 118 of file context_storage.cc.
Referenced by clientHttpConnectionsOpen(), Ssl::CertificateStorageAction::dump(), ConnStateData::getTlsContextFromCache(), mainReconfigureStart(), and ConnStateData::storeTlsContextToCache().