forward.h
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9#ifndef SQUID_SRC_SECURITY_FORWARD_H
10#define SQUID_SRC_SECURITY_FORWARD_H
11
12#include "base/CbDataList.h"
13#include "base/forward.h"
14#include "security/Context.h"
15#include "security/Session.h"
16
17#if USE_GNUTLS && HAVE_GNUTLS_ABSTRACT_H
18#include <gnutls/abstract.h>
19#endif
20#include <list>
21#include <limits>
22#if USE_OPENSSL
23#include "compat/openssl.h"
24#if HAVE_OPENSSL_BN_H
25#include <openssl/bn.h>
26#endif
27#if HAVE_OPENSSL_ERR_H
28#include <openssl/err.h>
29#endif
30#if HAVE_OPENSSL_RSA_H
31#include <openssl/rsa.h>
32#endif
33#endif /* USE_OPENSSL */
34#include <unordered_set>
35
36#if USE_OPENSSL
37// Macro to be used to define the C++ wrapper functor of the sk_*_pop_free
38// OpenSSL family of functions. The C++ functor is suffixed with the _free_wrapper
39// extension
40#define sk_dtor_wrapper(sk_object, argument_type, freefunction) \
41 struct sk_object ## _free_wrapper { \
42 void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \
43 }
44#endif /* USE_OPENSSL */
45
46/* flags a SSL connection can be configured with */
47#define SSL_FLAG_NO_DEFAULT_CA (1<<0)
48#define SSL_FLAG_DELAYED_AUTH (1<<1)
49#define SSL_FLAG_DONT_VERIFY_PEER (1<<2)
50#define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3)
51#define SSL_FLAG_NO_SESSION_REUSE (1<<4)
52#define SSL_FLAG_VERIFY_CRL (1<<5)
53#define SSL_FLAG_VERIFY_CRL_ALL (1<<6)
54#define SSL_FLAG_CONDITIONAL_AUTH (1<<7)
55
56#if !USE_OPENSSL && !USE_GNUTLS
61struct notls_x509 {};
62#endif
63
65namespace Security
66{
67
68class CertError;
71
72#if USE_OPENSSL
73typedef X509 Certificate;
74#elif USE_GNUTLS
75typedef struct gnutls_x509_crt_int Certificate;
76#else
77typedef struct notls_x509 Certificate;
78#endif
79
80#if USE_OPENSSL
81CtoCpp1(X509_free, X509 *);
83#elif USE_GNUTLS
84typedef std::shared_ptr<struct gnutls_x509_crt_int> CertPointer;
85#else
86typedef std::shared_ptr<Certificate> CertPointer;
87#endif
88
89#if USE_OPENSSL
90CtoCpp1(X509_CRL_free, X509_CRL *);
92#elif USE_GNUTLS
93CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t);
95#else
96typedef void *CrlPointer;
97#endif
98
99typedef std::list<Security::CertPointer> CertList;
100
101typedef std::list<Security::CrlPointer> CertRevokeList;
102
103#if USE_OPENSSL
104CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
106#elif USE_GNUTLS
107using PrivateKeyPointer = std::shared_ptr<struct gnutls_x509_privkey_int>;
108#else
109using PrivateKeyPointer = std::shared_ptr<void>;
110#endif
111
112#if USE_OPENSSL
113#if OPENSSL_VERSION_MAJOR < 3
114CtoCpp1(DH_free, DH *);
116#else
117using DhePointer = PrivateKeyPointer;
118#endif
119#elif USE_GNUTLS
120using DhePointer = void *;
121#else
122using DhePointer = void *;
123#endif
124
125class EncryptorAnswer;
126
128typedef int ErrorCode;
129
131#if USE_OPENSSL
135typedef unsigned long LibErrorCode;
136#elif USE_GNUTLS
139typedef int LibErrorCode;
140#else
142typedef int LibErrorCode;
143#endif
144
146inline const char *ErrorString(const LibErrorCode code) {
147#if USE_OPENSSL
148 return ERR_error_string(code, nullptr);
149#elif USE_GNUTLS
150 return gnutls_strerror(code);
151#else
152 (void)code;
153 return "[no TLS library]";
154#endif
155}
156
159typedef std::unordered_set<Security::ErrorCode> Errors;
160
161namespace Io
162{
163enum Type {
164#if USE_OPENSSL
167#elif USE_GNUTLS
168 // NP: this is odd looking but correct.
169 // 'to-client' means we are a server, and vice versa.
170 BIO_TO_CLIENT = GNUTLS_SERVER,
171 BIO_TO_SERVER = GNUTLS_CLIENT
172#else
173 BIO_TO_CLIENT = 6000,
175#endif
177
178} // namespace Io
179
180// TODO: Either move to Security::Io or remove/restrict the Io namespace.
181class IoResult;
182
183class CommunicationSecrets;
184class KeyData;
185class KeyLog;
186
187#if USE_OPENSSL
188using ParsedOptions = uint64_t;
189#elif USE_GNUTLS
190typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions;
191#else
192class ParsedOptions {}; // we never parse/use TLS options in this case
193#endif
194
198typedef long ParsedPortFlags;
199
200class PeerConnector;
202class PeerOptions;
203
204class ServerOptions;
205
206class ErrorDetail;
208
209std::ostream &operator <<(std::ostream &, const KeyLog &);
210
211void OpenLogs();
212void RotateLogs();
213void CloseLogs();
214
215} // namespace Security
216
221enum {
223
224 /* TLS library calls/contexts other than validation (e.g., I/O) */
227
228 /* certificate validation problems not covered by official errors */
232
235
236#endif /* SQUID_SRC_SECURITY_FORWARD_H */
237
A simple PeerConnector for SSL/TLS cache_peers. No SslBump capabilities.
a single tls_key_log directive configuration and logging handler
Definition: KeyLog.h:21
TLS squid.conf settings for a remote server peer.
Definition: PeerOptions.h:24
TLS squid.conf settings for a listening port.
Definition: ServerOptions.h:26
Definition: cf_gen.cc:109
A const & min(A const &lhs, A const &rhs)
unsigned char code
Definition: html_quote.c:20
@ BIO_TO_CLIENT
Definition: forward.h:165
@ BIO_TO_SERVER
Definition: forward.h:166
Network/connection security abstraction layer.
Definition: Connection.h:34
Security::LockingPointer< X509_CRL, X509_CRL_free_cpp, HardFun< int, X509_CRL *, X509_CRL_up_ref > > CrlPointer
Definition: forward.h:91
RefCount< ErrorDetail > ErrorDetailPointer
Definition: forward.h:207
Security::LockingPointer< DH, DH_free_cpp, HardFun< int, DH *, DH_up_ref > > DhePointer
Definition: forward.h:115
uint64_t ParsedOptions
Definition: forward.h:188
int ErrorCode
Squid-defined error code (<0), an error code returned by X.509 API, or zero.
Definition: forward.h:128
void OpenLogs()
opens logs enabled in the current configuration
Definition: KeyLog.cc:71
unsigned long LibErrorCode
TLS library-reported non-validation error.
Definition: forward.h:135
X509 Certificate
Definition: forward.h:73
CbDataList< Security::CertError > CertErrors
Holds a list of X.509 certificate errors.
Definition: forward.h:70
Security::LockingPointer< X509, X509_free_cpp, HardFun< int, X509 *, X509_up_ref > > CertPointer
Definition: forward.h:82
long ParsedPortFlags
Definition: forward.h:198
std::unordered_set< Security::ErrorCode > Errors
Definition: forward.h:159
std::ostream & operator<<(std::ostream &, const Security::EncryptorAnswer &)
std::list< Security::CrlPointer > CertRevokeList
Definition: forward.h:101
CtoCpp1(X509_free, X509 *)
std::list< Security::CertPointer > CertList
Definition: forward.h:99
void CloseLogs()
closes logs opened by OpenLogs()
Definition: KeyLog.cc:85
const char * ErrorString(const LibErrorCode code)
converts numeric LibErrorCode into a human-friendlier string
Definition: forward.h:146
void RotateLogs()
rotates logs opened by OpenLogs()
Definition: KeyLog.cc:78
@ SQUID_X509_V_ERR_INFINITE_VALIDATION
Definition: forward.h:231
@ SQUID_X509_V_ERR_DOMAIN_MISMATCH
Definition: forward.h:230
@ SQUID_TLS_ERR_END
Definition: forward.h:233
@ SQUID_TLS_ERR_CONNECT
failure to establish a connection with a TLS server
Definition: forward.h:226
@ SQUID_TLS_ERR_ACCEPT
failure to accept a connection from a TLS client
Definition: forward.h:225
@ SQUID_X509_V_ERR_CERT_CHANGE
Definition: forward.h:229
@ SQUID_TLS_ERR_OFFSET
Definition: forward.h:222

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors