Ssl Namespace Reference

Classes

class  IcapPeerConnector
 A simple PeerConnector for Secure ICAP services. No SslBump capabilities. More...
 
class  Lock
 maintains an exclusive blocking file-based lock More...
 
class  Locker
 an exception-safe way to obtain and release a lock More...
 
class  CertificateDb
 
class  Bio
 BIO source and sink node, handling socket I/O and monitoring SSL state. More...
 
class  ClientBio
 
class  ServerBio
 
class  CertValidationRequest
 
class  CertValidationResponse
 
class  CertValidationMsg
 
class  Config
 
class  CertificateStorageAction
 
class  GlobalContextStorage
 Class for storing/manipulating LocalContextStorage per local listening address/port. More...
 
class  CrtdMessage
 
class  ErrorDetail
 
class  ErrorDetailFile
 manages error detail templates More...
 
class  ErrorDetailEntry
 
class  ErrorDetailsList
 
class  ErrorDetailsManager
 
class  CertificateProperties
 
class  GeneratorRequestor
 Initiator of an Ssl::Helper query. More...
 
class  GeneratorRequest
 A pending Ssl::Helper request, combining the original and collapsed queries. More...
 
class  Helper
 
class  CertValidationHelper
 
class  PeekingPeerConnector
 A PeerConnector for HTTP origin servers. Capable of SslBumping. More...
 
class  ServerBump
 

Typedefs

typedef LruMap< SBuf,
Security::ContextPointer,
SSL_CTX_SIZE
LocalContextStorage
 
typedef SSL_METHOD * ContextMethod
 
typedef std::unique_ptr
< STACK_OF(X509),
sk_X509_free_wrapper > 
X509_STACK_Pointer
 
typedef std::unique_ptr
< BIGNUM, HardFun< void,
BIGNUM *,&BN_free > > 
BIGNUM_Pointer
 
typedef std::unique_ptr< BIO,
HardFun< void, BIO
*,&BIO_vfree > > 
BIO_Pointer
 
typedef std::unique_ptr
< ASN1_INTEGER, HardFun< void,
ASN1_INTEGER
*,&ASN1_INTEGER_free > > 
ASN1_INT_Pointer
 
typedef std::unique_ptr
< ASN1_OCTET_STRING, HardFun
< void, ASN1_OCTET_STRING
*,&ASN1_OCTET_STRING_free > > 
ASN1_OCTET_STRING_Pointer
 
typedef std::unique_ptr
< TXT_DB, HardFun< void,
TXT_DB *,&TXT_DB_free > > 
TXT_DB_Pointer
 
typedef std::unique_ptr
< X509_NAME, HardFun< void,
X509_NAME *,&X509_NAME_free > > 
X509_NAME_Pointer
 
typedef std::unique_ptr< RSA,
HardFun< void, RSA *,&RSA_free > > 
RSA_Pointer
 
typedef std::unique_ptr
< X509_REQ, HardFun< void,
X509_REQ *,&X509_REQ_free > > 
X509_REQ_Pointer
 
typedef std::unique_ptr
< AUTHORITY_KEYID, HardFun
< void, AUTHORITY_KEYID
*,&AUTHORITY_KEYID_free > > 
AUTHORITY_KEYID_Pointer
 
typedef std::unique_ptr
< STACK_OF(GENERAL_NAME),
sk_GENERAL_NAME_free_wrapper > 
GENERAL_NAME_STACK_Pointer
 
typedef std::unique_ptr
< GENERAL_NAME, HardFun< void,
GENERAL_NAME
*,&GENERAL_NAME_free > > 
GENERAL_NAME_Pointer
 
typedef std::unique_ptr
< X509_EXTENSION, HardFun
< void, X509_EXTENSION
*,&X509_EXTENSION_free > > 
X509_EXTENSION_Pointer
 
typedef std::unordered_map
< SBuf, GeneratorRequest * > 
GeneratorRequests
 Ssl::Helper query:GeneratorRequest map. More...
 
typedef RefCount
< CertValidationResponse
CertValidationResponsePointer
 
typedef char const * GETX509ATTRIBUTE (X509 *, const char *)
 
typedef std::multimap< SBuf,
X509 * > 
CertsIndexedList
 certificates indexed by issuer name More...
 

Enumerations

enum  CertSignAlgorithm {
  algSignTrusted = 0,
  algSignUntrusted,
  algSignSelf,
  algSignEnd
}
 
enum  CertAdaptAlgorithm {
  algSetValidAfter = 0,
  algSetValidBefore,
  algSetCommonName,
  algSetEnd
}
 
enum  BumpMode {
  bumpNone = 0,
  bumpClientFirst,
  bumpServerFirst,
  bumpPeek,
  bumpStare,
  bumpBump,
  bumpSplice,
  bumpTerminate,
  bumpEnd
}
 
enum  BumpStep {
  bumpStep1,
  bumpStep2,
  bumpStep3
}
 

Functions

bool ParseErrorString (const char *name, Security::Errors &)
 
Security::ErrorCode GetErrorCode (const char *name)
 The Security::ErrorCode code of the error described by "name". More...
 
const char * GetErrorName (Security::ErrorCode value)
 The string representation of the TLS error "value". More...
 
const char * GetErrorDescr (Security::ErrorCode value)
 A short description of the TLS error "value". More...
 
bool ErrorIsOptional (const char *name)
 
void errorDetailInitialize ()
 
void errorDetailClean ()
 
 sk_dtor_wrapper (sk_X509, STACK_OF(X509)*, X509_free)
 
 sk_dtor_wrapper (sk_GENERAL_NAME, STACK_OF(GENERAL_NAME)*, GENERAL_NAME_free)
 
EVP_PKEY * createSslPrivateKey ()
 
bool writeCertAndPrivateKeyToMemory (Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey, std::string &bufferToWrite)
 
bool appendCertToMemory (Security::CertPointer const &cert, std::string &bufferToWrite)
 
bool readCertAndPrivateKeyFromMemory (Security::CertPointer &cert, Security::PrivateKeyPointer &pkey, char const *bufferToRead)
 
bool readCertFromMemory (Security::CertPointer &cert, char const *bufferToRead)
 
void ReadPrivateKeyFromFile (char const *keyFilename, Security::PrivateKeyPointer &pkey, pem_password_cb *passwd_callback)
 
bool OpenCertsFileForReading (BIO_Pointer &bio, const char *filename)
 
bool ReadX509Certificate (BIO_Pointer &bio, Security::CertPointer &cert)
 
bool ReadPrivateKey (BIO_Pointer &bio, Security::PrivateKeyPointer &pkey, pem_password_cb *passwd_callback)
 
bool OpenCertsFileForWriting (BIO_Pointer &bio, const char *filename)
 
bool WriteX509Certificate (BIO_Pointer &bio, const Security::CertPointer &cert)
 
bool WritePrivateKey (BIO_Pointer &bio, const Security::PrivateKeyPointer &pkey)
 
const char * certSignAlgorithm (int sg)
 
CertSignAlgorithm certSignAlgorithmId (const char *sg)
 
const char * sslCertAdaptAlgoritm (int alg)
 
std::string & OnDiskCertificateDbKey (const CertificateProperties &)
 
bool generateSslCertificate (Security::CertPointer &cert, Security::PrivateKeyPointer &pkey, CertificateProperties const &properties)
 
bool sslDateIsInTheFuture (char const *date)
 
bool certificateMatchesProperties (X509 *peer_cert, CertificateProperties const &properties)
 
const char * CommonHostName (X509 *x509)
 
const char * getOrganization (X509 *x509)
 
bool CertificatesCmp (const Security::CertPointer &cert1, const Security::CertPointer &cert2)
 
const ASN1_BIT_STRING * X509_get_signature (const Security::CertPointer &)
 
static void HandleGeneratorReply (void *data, const ::Helper::Reply &reply)
 receives helper response More...
 
void Initialize ()
 
bool InitServerContext (Security::ContextPointer &, AnyP::PortCfg &)
 initialize a TLS server context with OpenSSL specific settings More...
 
bool InitClientContext (Security::ContextPointer &, Security::PeerOptions &, long flags)
 initialize a TLS client context with OpenSSL specific settings More...
 
void SetupVerifyCallback (Security::ContextPointer &)
 set the certificate verify callback for a context More...
 
void MaybeSetupRsaCallback (Security::ContextPointer &)
 if required, setup callback for generating ephemeral RSA keys More...
 
const char * bumpMode (int bm)
 
bool loadCerts (const char *certsFile, Ssl::CertsIndexedList &list)
 
bool loadSquidUntrusted (const char *path)
 
void unloadSquidUntrusted ()
 
void SSL_add_untrusted_cert (SSL *ssl, X509 *cert)
 
const char * uriOfIssuerIfMissing (X509 *cert, Security::CertList const &serverCertificates, const Security::ContextPointer &context)
 
void missingChainCertificatesUrls (std::queue< SBuf > &URIs, Security::CertList const &serverCertificates, const Security::ContextPointer &context)
 
bool generateUntrustedCert (Security::CertPointer &untrustedCert, Security::PrivateKeyPointer &untrustedPkey, Security::CertPointer const &cert, Security::PrivateKeyPointer const &pkey)
 
Security::ContextPointer GenerateSslContext (CertificateProperties const &, Security::ServerOptions &, bool trusted)
 
bool verifySslCertificate (Security::ContextPointer &, CertificateProperties const &)
 
Security::ContextPointer GenerateSslContextUsingPkeyAndCertFromMemory (const char *data, Security::ServerOptions &, bool trusted)
 
Security::ContextPointer createSSLContext (Security::CertPointer &x509, Security::PrivateKeyPointer &pkey, Security::ServerOptions &)
 Create SSL context and apply ssl certificate and private key to it. More...
 
void chainCertificatesToSSLContext (Security::ContextPointer &, Security::ServerOptions &)
 
void configureUnconfiguredSslContext (Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &)
 
bool configureSSL (SSL *ssl, CertificateProperties const &properties, AnyP::PortCfg &port)
 
bool configureSSLUsingPkeyAndCertFromMemory (SSL *ssl, const char *data, AnyP::PortCfg &port)
 
void addChainToSslContext (Security::ContextPointer &, Security::CertList &)
 
void useSquidUntrusted (SSL_CTX *sslContext)
 
void readCertChainAndPrivateKeyFromFiles (Security::CertPointer &cert, Security::PrivateKeyPointer &pkey, Security::CertList &chain, char const *certFilename, char const *keyFilename)
 
int matchX509CommonNames (X509 *peer_cert, void *check_data, int(*check_func)(void *check_data, ASN1_STRING *cn_data))
 
bool checkX509ServerValidity (X509 *cert, const char *server)
 
int asn1timeToString (ASN1_TIME *tm, char *buf, int len)
 
bool setClientSNI (SSL *ssl, const char *fqdn)
 
void InRamCertificateDbKey (const Ssl::CertificateProperties &certProperties, SBuf &key)
 
BIO * BIO_new_SBuf (SBuf *buf)
 

Variables

Config TheConfig
 
GlobalContextStorage TheGlobalContextStorage
 Global cache for store all SSL server certificates. More...
 
const char * CertSignAlgorithmStr []
 
const char * CertAdaptAlgorithmStr []
 
GETX509ATTRIBUTE GetX509UserAttribute
 
GETX509ATTRIBUTE GetX509CAAttribute
 
GETX509ATTRIBUTE GetX509Fingerprint
 
const EVP_MD * DefaultSignHash = NULL
 
std::vector< const char * > BumpModeStr
 

Typedef Documentation

typedef std::unique_ptr<ASN1_INTEGER, HardFun<void, ASN1_INTEGER*, &ASN1_INTEGER_free> > Ssl::ASN1_INT_Pointer

Definition at line 52 of file gadgets.h.

typedef std::unique_ptr<ASN1_OCTET_STRING, HardFun<void, ASN1_OCTET_STRING*, &ASN1_OCTET_STRING_free> > Ssl::ASN1_OCTET_STRING_Pointer

Definition at line 54 of file gadgets.h.

typedef std::unique_ptr<AUTHORITY_KEYID, HardFun<void, AUTHORITY_KEYID*, &AUTHORITY_KEYID_free> > Ssl::AUTHORITY_KEYID_Pointer

Definition at line 64 of file gadgets.h.

typedef std::unique_ptr<BIGNUM, HardFun<void, BIGNUM*, &BN_free> > Ssl::BIGNUM_Pointer

Definition at line 48 of file gadgets.h.

typedef std::unique_ptr<BIO, HardFun<void, BIO*, &BIO_vfree> > Ssl::BIO_Pointer

Definition at line 50 of file gadgets.h.

typedef std::multimap< SBuf, X509 * > Ssl::CertsIndexedList

Definition at line 145 of file support.h.

typedef SSL_METHOD* Ssl::ContextMethod

Definition at line 35 of file gadgets.h.

typedef std::unique_ptr<GENERAL_NAME, HardFun<void, GENERAL_NAME*, &GENERAL_NAME_free> > Ssl::GENERAL_NAME_Pointer

Definition at line 69 of file gadgets.h.

typedef std::unique_ptr<STACK_OF(GENERAL_NAME), sk_GENERAL_NAME_free_wrapper> Ssl::GENERAL_NAME_STACK_Pointer

Definition at line 67 of file gadgets.h.

typedef std::unordered_map<SBuf, GeneratorRequest*> Ssl::GeneratorRequests

Definition at line 52 of file helper.cc.

typedef std::unique_ptr<RSA, HardFun<void, RSA*, &RSA_free> > Ssl::RSA_Pointer

Definition at line 60 of file gadgets.h.

typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free> > Ssl::TXT_DB_Pointer

Definition at line 56 of file gadgets.h.

typedef std::unique_ptr<X509_EXTENSION, HardFun<void, X509_EXTENSION*, &X509_EXTENSION_free> > Ssl::X509_EXTENSION_Pointer

Definition at line 71 of file gadgets.h.

typedef std::unique_ptr<X509_NAME, HardFun<void, X509_NAME*, &X509_NAME_free> > Ssl::X509_NAME_Pointer

Definition at line 58 of file gadgets.h.

typedef std::unique_ptr<X509_REQ, HardFun<void, X509_REQ*, &X509_REQ_free> > Ssl::X509_REQ_Pointer

Definition at line 62 of file gadgets.h.

typedef std::unique_ptr<STACK_OF(X509), sk_X509_free_wrapper> Ssl::X509_STACK_Pointer

Definition at line 46 of file gadgets.h.

Enumeration Type Documentation

Enumerator
bumpStep1 
bumpStep2 
bumpStep3 

Definition at line 127 of file support.h.

Function Documentation

void Ssl::errorDetailClean ( )

Definition at line 20 of file ErrorDetailManager.cc.

References Ssl::ErrorDetailsManager::Shutdown().

Referenced by errorClean().

void Ssl::errorDetailInitialize ( )

Definition at line 15 of file ErrorDetailManager.cc.

References Ssl::ErrorDetailsManager::GetInstance().

Referenced by errorInitialize().

bool Ssl::ErrorIsOptional ( const char *  name)
Returns
true if the TLS error is optional and may not be supported by current squid version

Definition at line 405 of file ErrorDetail.cc.

References i, NULL, and OptionalSslErrors.

Referenced by Ssl::ErrorDetailFile::parse().

Security::ErrorCode Ssl::GetErrorCode ( const char *  name)
const char * Ssl::GetErrorDescr ( Security::ErrorCode  value)

Definition at line 415 of file ErrorDetail.cc.

Referenced by ssl_verify_cb().

static void Ssl::HandleGeneratorReply ( void *  data,
const ::Helper::Reply reply 
)
static
void Ssl::MaybeSetupRsaCallback ( Security::ContextPointer ctx)

Definition at line 150 of file support.cc.

References debugs.

Referenced by InitClientContext(), and Security::ServerOptions::updateContextConfig().

void Ssl::missingChainCertificatesUrls ( std::queue< SBuf > &  URIs,
Security::CertList const &  serverCertificates,
const Security::ContextPointer context 
)

Fill URIs queue with the uris of missing certificates from serverCertificate chain if this information provided by Authority Info Access.

Definition at line 1100 of file support.cc.

References i, and uriOfIssuerIfMissing().

Referenced by Security::PeerConnector::checkForMissingCertificates().

bool Ssl::ParseErrorString ( const char *  name,
Security::Errors errors 
)

Converts user-friendly error "name" into an Security::ErrorCode and adds it to the provided container (using emplace). This function can handle numeric error numbers as well as names.

Definition at line 356 of file ErrorDetail.cc.

References assert, fatalf(), GetErrorCode(), i, loadSslErrorShortcutsMap(), NULL, SQUID_SSL_ERROR_MAX, SQUID_SSL_ERROR_MIN, TheSslErrorShortcuts, and xisdigit.

Referenced by ACLSslErrorData::parse().

void Ssl::SetupVerifyCallback ( Security::ContextPointer ctx)

Definition at line 380 of file support.cc.

References ssl_verify_cb().

Referenced by InitClientContext(), and Security::ServerOptions::updateContextClientCa().

Ssl::sk_dtor_wrapper ( sk_X509  ,
STACK_OF(X509)*  ,
X509_free   
)

std::unique_ptr typedefs for common SSL objects

Ssl::sk_dtor_wrapper ( sk_GENERAL_NAME  ,
STACK_OF(GENERAL_NAME)*  ,
GENERAL_NAME_free   
)
void Ssl::SSL_add_untrusted_cert ( SSL *  ssl,
X509 *  cert 
)

Add the certificate cert to ssl object untrusted certificates. Squid uses an attached to SSL object list of untrusted certificates, with certificates which can be used to complete incomplete chains sent by the SSL server.

Definition at line 1112 of file support.cc.

References ssl_ex_index_ssl_untrusted_chain, and STACK_OF().

Referenced by Security::PeerConnector::certDownloadingDone().

const char * Ssl::uriOfIssuerIfMissing ( X509 *  cert,
Security::CertList const &  serverCertificates,
const Security::ContextPointer context 
)

Searches in serverCertificates list for the cert issuer and if not found and Authority Info Access of cert provides a URI return it.

Definition at line 1079 of file support.cc.

References findCertIssuer(), findCertIssuerFast(), hasAuthorityInfoAccessCaIssuers(), issuerExistInCaDb(), and SquidUntrustedCerts.

Referenced by Security::PeerConnector::certDownloadingDone(), and missingChainCertificatesUrls().

const ASN1_BIT_STRING * Ssl::X509_get_signature ( const Security::CertPointer &  cert)

wrapper for OpenSSL X509_get0_signature() which takes care of portability issues with older OpenSSL versions

Definition at line 949 of file gadgets.cc.

Referenced by InRamCertificateDbKey(), and printX509Signature().

Variable Documentation

const EVP_MD * Ssl::DefaultSignHash = NULL

Definition at line 43 of file support.cc.

Referenced by ConnStateData::buildSslCertGenerationParams(), and Initialize().

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors