forward.h
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9#ifndef SQUID_SRC_SECURITY_FORWARD_H
10#define SQUID_SRC_SECURITY_FORWARD_H
11
12#include "base/CbDataList.h"
13#include "base/forward.h"
14#include "base/ToCpp.h"
16
17#if USE_GNUTLS && HAVE_GNUTLS_ABSTRACT_H
18#include <gnutls/abstract.h>
19#endif
20#include <list>
21#include <limits>
22#include <memory>
23#if USE_OPENSSL
24#include "compat/openssl.h"
25#if HAVE_OPENSSL_BN_H
26#include <openssl/bn.h>
27#endif
28#if HAVE_OPENSSL_ERR_H
29#include <openssl/err.h>
30#endif
31#if HAVE_OPENSSL_RSA_H
32#include <openssl/rsa.h>
33#endif
34#if HAVE_OPENSSL_X509_H
35#include <openssl/x509.h>
36#endif
37#endif /* USE_OPENSSL */
38#include <unordered_set>
39
40#if USE_OPENSSL
41// Macro to be used to define the C++ wrapper functor of the sk_*_pop_free
42// OpenSSL family of functions. The C++ functor is suffixed with the _free_wrapper
43// extension
44#define sk_dtor_wrapper(sk_object, argument_type, freefunction) \
45 struct sk_object ## _free_wrapper { \
46 void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \
47 }
48#endif /* USE_OPENSSL */
49
50/* flags a SSL connection can be configured with */
51#define SSL_FLAG_NO_DEFAULT_CA (1<<0)
52#define SSL_FLAG_DELAYED_AUTH (1<<1)
53#define SSL_FLAG_DONT_VERIFY_PEER (1<<2)
54#define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3)
55#define SSL_FLAG_NO_SESSION_REUSE (1<<4)
56#define SSL_FLAG_VERIFY_CRL (1<<5)
57#define SSL_FLAG_VERIFY_CRL_ALL (1<<6)
58#define SSL_FLAG_CONDITIONAL_AUTH (1<<7)
59
60#if !USE_OPENSSL && !USE_GNUTLS
65struct notls_x509 {};
66#endif
67
69namespace Security
70{
71
72class CertError;
75
76#if USE_OPENSSL
77typedef X509 Certificate;
78#elif USE_GNUTLS
79typedef struct gnutls_x509_crt_int Certificate;
80#else
81typedef struct notls_x509 Certificate;
82#endif
83
84#if USE_OPENSSL
85CtoCpp1(X509_free, X509 *);
87#elif USE_GNUTLS
88typedef std::shared_ptr<struct gnutls_x509_crt_int> CertPointer;
89#else
90typedef std::shared_ptr<Certificate> CertPointer;
91#endif
92
93#if USE_OPENSSL
94CtoCpp1(X509_CRL_free, X509_CRL *);
96#elif USE_GNUTLS
97CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t);
99#else
100typedef void *CrlPointer;
101#endif
102
103typedef std::list<Security::CertPointer> CertList;
104
105typedef std::list<Security::CrlPointer> CertRevokeList;
106
107#if USE_OPENSSL
108CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
110#elif USE_GNUTLS
111using PrivateKeyPointer = std::shared_ptr<struct gnutls_x509_privkey_int>;
112#else
113using PrivateKeyPointer = std::shared_ptr<void>;
114#endif
115
116#if USE_OPENSSL
117#if OPENSSL_VERSION_MAJOR < 3
118CtoCpp1(DH_free, DH *);
120#else
121using DhePointer = PrivateKeyPointer;
122#endif
123#elif USE_GNUTLS
124using DhePointer = void *;
125#else
126using DhePointer = void *;
127#endif
128
129class EncryptorAnswer;
130
132typedef int ErrorCode;
133
135#if USE_OPENSSL
139typedef unsigned long LibErrorCode;
140#elif USE_GNUTLS
143typedef int LibErrorCode;
144#else
146typedef int LibErrorCode;
147#endif
148
150inline const char *ErrorString(const LibErrorCode code) {
151#if USE_OPENSSL
152 return ERR_error_string(code, nullptr);
153#elif USE_GNUTLS
154 return gnutls_strerror(code);
155#else
156 (void)code;
157 return "[no TLS library]";
158#endif
159}
160
163typedef std::unordered_set<Security::ErrorCode> Errors;
164
165namespace Io
166{
167enum Type {
168#if USE_OPENSSL
171#elif USE_GNUTLS
172 // NP: this is odd looking but correct.
173 // 'to-client' means we are a server, and vice versa.
174 BIO_TO_CLIENT = GNUTLS_SERVER,
175 BIO_TO_SERVER = GNUTLS_CLIENT
176#else
177 BIO_TO_CLIENT = 6000,
179#endif
181
182} // namespace Io
183
184// TODO: Either move to Security::Io or remove/restrict the Io namespace.
185class IoResult;
186
187class CommunicationSecrets;
188class KeyData;
189class KeyLog;
190
191#if USE_OPENSSL
192using ParsedOptions = uint64_t;
193#elif USE_GNUTLS
194typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions;
195#else
196class ParsedOptions {}; // we never parse/use TLS options in this case
197#endif
198
202typedef long ParsedPortFlags;
203
204class PeerConnector;
206class PeerOptions;
207
208class ServerOptions;
209
210class ErrorDetail;
212
213std::ostream &operator <<(std::ostream &, const KeyLog &);
214
215void OpenLogs();
216void RotateLogs();
217void CloseLogs();
218
219} // namespace Security
220
225enum {
227
228 /* TLS library calls/contexts other than validation (e.g., I/O) */
231
232 /* certificate validation problems not covered by official errors */
236
239
240#endif /* SQUID_SRC_SECURITY_FORWARD_H */
241
A simple PeerConnector for SSL/TLS cache_peers. No SslBump capabilities.
a single tls_key_log directive configuration and logging handler
Definition: KeyLog.h:21
TLS squid.conf settings for a remote server peer.
Definition: PeerOptions.h:26
TLS squid.conf settings for a listening port.
Definition: ServerOptions.h:26
Definition: cf_gen.cc:109
A const & min(A const &lhs, A const &rhs)
@ BIO_TO_CLIENT
Definition: forward.h:169
@ BIO_TO_SERVER
Definition: forward.h:170
Network/connection security abstraction layer.
Definition: Connection.h:34
Security::LockingPointer< X509_CRL, X509_CRL_free_cpp, HardFun< int, X509_CRL *, X509_CRL_up_ref > > CrlPointer
Definition: forward.h:95
RefCount< ErrorDetail > ErrorDetailPointer
Definition: forward.h:211
Security::LockingPointer< DH, DH_free_cpp, HardFun< int, DH *, DH_up_ref > > DhePointer
Definition: forward.h:119
uint64_t ParsedOptions
Definition: forward.h:192
int ErrorCode
Squid-defined error code (<0), an error code returned by X.509 API, or zero.
Definition: forward.h:132
void OpenLogs()
opens logs enabled in the current configuration
Definition: KeyLog.cc:71
unsigned long LibErrorCode
TLS library-reported non-validation error.
Definition: forward.h:139
X509 Certificate
Definition: forward.h:77
CbDataList< Security::CertError > CertErrors
Holds a list of X.509 certificate errors.
Definition: forward.h:74
Security::LockingPointer< X509, X509_free_cpp, HardFun< int, X509 *, X509_up_ref > > CertPointer
Definition: forward.h:86
long ParsedPortFlags
Definition: forward.h:202
std::unordered_set< Security::ErrorCode > Errors
Definition: forward.h:163
std::list< Security::CrlPointer > CertRevokeList
Definition: forward.h:105
CtoCpp1(X509_free, X509 *)
std::list< Security::CertPointer > CertList
Definition: forward.h:103
void CloseLogs()
closes logs opened by OpenLogs()
Definition: KeyLog.cc:85
const char * ErrorString(const LibErrorCode code)
converts numeric LibErrorCode into a human-friendlier string
Definition: forward.h:150
void RotateLogs()
rotates logs opened by OpenLogs()
Definition: KeyLog.cc:78
std::ostream & operator<<(std::ostream &, const EncryptorAnswer &)
@ SQUID_X509_V_ERR_INFINITE_VALIDATION
Definition: forward.h:235
@ SQUID_X509_V_ERR_DOMAIN_MISMATCH
Definition: forward.h:234
@ SQUID_TLS_ERR_END
Definition: forward.h:237
@ SQUID_TLS_ERR_CONNECT
failure to establish a connection with a TLS server
Definition: forward.h:230
@ SQUID_TLS_ERR_ACCEPT
failure to accept a connection from a TLS client
Definition: forward.h:229
@ SQUID_X509_V_ERR_CERT_CHANGE
Definition: forward.h:233
@ SQUID_TLS_ERR_OFFSET
Definition: forward.h:226
int code
Definition: smb-errors.c:145

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors