forward.h
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 #ifndef SQUID_SRC_SECURITY_FORWARD_H
10 #define SQUID_SRC_SECURITY_FORWARD_H
11 
12 #include "base/CbDataList.h"
13 #include "base/forward.h"
14 #include "security/Context.h"
15 #include "security/Session.h"
16 
17 #if USE_GNUTLS && HAVE_GNUTLS_ABSTRACT_H
18 #include <gnutls/abstract.h>
19 #endif
20 #include <list>
21 #include <limits>
22 #if USE_OPENSSL
23 #include "compat/openssl.h"
24 #if HAVE_OPENSSL_BN_H
25 #include <openssl/bn.h>
26 #endif
27 #if HAVE_OPENSSL_ERR_H
28 #include <openssl/err.h>
29 #endif
30 #if HAVE_OPENSSL_RSA_H
31 #include <openssl/rsa.h>
32 #endif
33 #endif /* USE_OPENSSL */
34 #include <unordered_set>
35 
36 #if USE_OPENSSL
37 // Macro to be used to define the C++ wrapper functor of the sk_*_pop_free
38 // OpenSSL family of functions. The C++ functor is suffixed with the _free_wrapper
39 // extension
40 #define sk_dtor_wrapper(sk_object, argument_type, freefunction) \
41  struct sk_object ## _free_wrapper { \
42  void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \
43  }
44 #endif /* USE_OPENSSL */
45 
46 /* flags a SSL connection can be configured with */
47 #define SSL_FLAG_NO_DEFAULT_CA (1<<0)
48 #define SSL_FLAG_DELAYED_AUTH (1<<1)
49 #define SSL_FLAG_DONT_VERIFY_PEER (1<<2)
50 #define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3)
51 #define SSL_FLAG_NO_SESSION_REUSE (1<<4)
52 #define SSL_FLAG_VERIFY_CRL (1<<5)
53 #define SSL_FLAG_VERIFY_CRL_ALL (1<<6)
54 #define SSL_FLAG_CONDITIONAL_AUTH (1<<7)
55 
57 namespace Security
58 {
59 
60 class CertError;
63 
64 #if USE_OPENSSL
65 typedef X509 Certificate;
66 #elif USE_GNUTLS
67 typedef struct gnutls_x509_crt_int Certificate;
68 #else
69 typedef class {} Certificate;
70 #endif
71 
72 #if USE_OPENSSL
73 CtoCpp1(X509_free, X509 *);
75 #elif USE_GNUTLS
76 typedef std::shared_ptr<struct gnutls_x509_crt_int> CertPointer;
77 #else
78 typedef std::shared_ptr<Certificate> CertPointer;
79 #endif
80 
81 #if USE_OPENSSL
82 CtoCpp1(X509_CRL_free, X509_CRL *);
84 #elif USE_GNUTLS
85 CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t);
87 #else
88 typedef void *CrlPointer;
89 #endif
90 
91 typedef std::list<Security::CertPointer> CertList;
92 
93 typedef std::list<Security::CrlPointer> CertRevokeList;
94 
95 #if USE_OPENSSL
96 CtoCpp1(DH_free, DH *);
98 #else
99 typedef void *DhePointer;
100 #endif
101 
102 class EncryptorAnswer;
103 
105 typedef int ErrorCode;
106 
108 #if USE_OPENSSL
109 typedef unsigned long LibErrorCode;
113 #elif USE_GNUTLS
114 typedef int LibErrorCode;
117 #else
118 typedef int LibErrorCode;
120 #endif
121 
123 inline const char *ErrorString(const LibErrorCode code) {
124 #if USE_OPENSSL
125  return ERR_error_string(code, nullptr);
126 #elif USE_GNUTLS
127  return gnutls_strerror(code);
128 #else
129  (void)code;
130  return "[no TLS library]";
131 #endif
132 }
133 
136 typedef std::unordered_set<Security::ErrorCode> Errors;
137 
138 namespace Io
139 {
140 enum Type {
141 #if USE_OPENSSL
144 #elif USE_GNUTLS
145  // NP: this is odd looking but correct.
146  // 'to-client' means we are a server, and vice versa.
147  BIO_TO_CLIENT = GNUTLS_SERVER,
148  BIO_TO_SERVER = GNUTLS_CLIENT
149 #else
150  BIO_TO_CLIENT = 6000,
152 #endif
153 };
154 
155 } // namespace Io
156 
157 // TODO: Either move to Security::Io or remove/restrict the Io namespace.
158 class IoResult;
159 
160 class CommunicationSecrets;
161 class KeyData;
162 class KeyLog;
163 
164 #if USE_OPENSSL
165 typedef long ParsedOptions;
166 #elif USE_GNUTLS
167 typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions;
168 #else
169 class ParsedOptions {}; // we never parse/use TLS options in this case
170 #endif
171 
175 typedef long ParsedPortFlags;
176 
177 class PeerConnector;
178 class BlindPeerConnector;
179 class PeerOptions;
180 
181 #if USE_OPENSSL
182 CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
184 #elif USE_GNUTLS
185 typedef std::shared_ptr<struct gnutls_x509_privkey_int> PrivateKeyPointer;
186 #else
187 typedef std::shared_ptr<void> PrivateKeyPointer;
188 #endif
189 
190 class ServerOptions;
191 
192 class ErrorDetail;
194 
195 std::ostream &operator <<(std::ostream &, const KeyLog &);
196 
197 void OpenLogs();
198 void RotateLogs();
199 void CloseLogs();
200 
201 } // namespace Security
202 
207 enum {
209 
210  /* TLS library calls/contexts other than validation (e.g., I/O) */
213 
214  /* certificate validation problems not covered by official errors */
218 
220 };
221 
222 #endif /* SQUID_SRC_SECURITY_FORWARD_H */
223 
int ErrorCode
Squid-defined error code (<0), an error code returned by X.509 API, or zero.
Definition: forward.h:102
@ SQUID_TLS_ERR_OFFSET
Definition: forward.h:208
@ SQUID_X509_V_ERR_DOMAIN_MISMATCH
Definition: forward.h:216
Security::LockingPointer< X509, X509_free_cpp, HardFun< int, X509 *, X509_up_ref > > CertPointer
Definition: forward.h:74
void OpenLogs()
opens logs enabled in the current configuration
Definition: KeyLog.cc:71
@ BIO_TO_SERVER
Definition: forward.h:143
@ BIO_TO_CLIENT
Definition: forward.h:142
Security::LockingPointer< DH, DH_free_cpp, HardFun< int, DH *, DH_up_ref > > DhePointer
Definition: forward.h:97
@ SQUID_TLS_ERR_CONNECT
failure to establish a connection with a TLS server
Definition: forward.h:212
void RotateLogs()
rotates logs opened by OpenLogs()
Definition: KeyLog.cc:78
TLS squid.conf settings for a remote server peer.
Definition: PeerOptions.h:24
RefCount< ErrorDetail > ErrorDetailPointer
Definition: forward.h:192
unsigned char code
Definition: html_quote.c:20
long ParsedPortFlags
Definition: forward.h:175
Definition: cf_gen.cc:109
@ SQUID_TLS_ERR_ACCEPT
failure to accept a connection from a TLS client
Definition: forward.h:211
CtoCpp1(X509_free, X509 *)
@ SQUID_X509_V_ERR_CERT_CHANGE
Definition: forward.h:215
CbDataList< Security::CertError > CertErrors
Holds a list of X.509 certificate errors.
Definition: forward.h:60
A simple PeerConnector for SSL/TLS cache_peers. No SslBump capabilities.
@ SQUID_TLS_ERR_END
Definition: forward.h:219
TLS squid.conf settings for a listening port.
Definition: ServerOptions.h:26
std::ostream & operator<<(std::ostream &, const Security::EncryptorAnswer &)
X509 Certificate
Definition: forward.h:65
std::list< Security::CertPointer > CertList
Definition: forward.h:91
std::list< Security::CrlPointer > CertRevokeList
Definition: forward.h:93
@ SQUID_X509_V_ERR_INFINITE_VALIDATION
Definition: forward.h:217
void CloseLogs()
closes logs opened by OpenLogs()
Definition: KeyLog.cc:85
a single tls_key_log directive configuration and logging handler
Definition: KeyLog.h:21
std::unordered_set< Security::ErrorCode > Errors
Definition: forward.h:136
Security::LockingPointer< X509_CRL, X509_CRL_free_cpp, HardFun< int, X509_CRL *, X509_CRL_up_ref > > CrlPointer
Definition: forward.h:83
A const & min(A const &lhs, A const &rhs)
Network/connection security abstraction layer.
Definition: Connection.h:34
const char * ErrorString(const LibErrorCode code)
converts numeric LibErrorCode into a human-friendlier string
Definition: forward.h:123
long ParsedOptions
Definition: forward.h:162
unsigned long LibErrorCode
TLS library-reported non-validation error.
Definition: forward.h:112

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors