... Pointer is used in Squid for smart pointers, which this is not (yet).
Also convert remaining SSL_CTX* instances with ContextPtr.
/// security settings for peer connection
Security::PeerOptions secure;
- Security::ContextPointer sslContext;
+ Security::ContextPtr sslContext;
#if USE_OPENSSL
SSL_SESSION *sslSession;
#endif
external_acl *externalAclHelperList;
struct {
- Security::ContextPointer sslContext;
+ Security::ContextPtr sslContext;
#if USE_OPENSSL
acl_access *cert_error;
sslproxy_cert_sign *cert_sign;
// receive either an ICAP OPTIONS response header or an abort message
virtual void noteAdaptationAnswer(const Answer &answer);
- Security::ContextPointer sslContext;
+ Security::ContextPtr sslContext;
#if USE_OPENSSL
SSL_SESSION *sslSession;
#endif
/* PeerConnector API */
virtual Security::SessionPointer initializeSsl();
virtual void noteNegotiationDone(ErrorState *error);
- virtual Security::ContextPointer getSslContext() {return icapService->sslContext;}
+ virtual Security::ContextPtr getSslContext() {return icapService->sslContext;}
private:
Adaptation::Icap::ServiceRep::Pointer icapService;
#if 0
// TODO: AYJ: 2015-01-15: for now SSL does not clone the context object.
// cloning should only be done before the PortCfg is post-configure initialized and opened
- Security::ContextPointer sslContext;
+ Security::ContextPtr sslContext;
#endif
#endif /*0*/
/** Create SSL connection structure and update fd_table */
static Security::SessionPointer
-httpsCreate(const Comm::ConnectionPointer &conn, Security::ContextPointer sslContext)
+httpsCreate(const Comm::ConnectionPointer &conn, Security::ContextPtr sslContext)
{
if (auto ssl = Ssl::CreateServer(sslContext, conn->fd, "client https start")) {
debugs(33, 5, "will negotate SSL on " << conn);
}
/**
- * If Security::ContextPointer is given, starts reading the TLS handshake.
- * Otherwise, calls switchToHttps to generate a dynamic Security::ContextPointer.
+ * If Security::ContextPtr is given, starts reading the TLS handshake.
+ * Otherwise, calls switchToHttps to generate a dynamic Security::ContextPtr.
*/
static void
-httpsEstablish(ConnStateData *connState, Security::ContextPointer sslContext)
+httpsEstablish(ConnStateData *connState, Security::ContextPtr sslContext)
{
Security::SessionPointer ssl = nullptr;
assert(connState);
acl_checklist->nonBlockingCheck(httpsSslBumpAccessCheckDone, this);
return;
} else {
- Security::ContextPointer sslContext = port->staticSslContext.get();
+ Security::ContextPtr sslContext = port->staticSslContext.get();
httpsEstablish(this, sslContext);
}
}
if (!(sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare))) {
debugs(33, 5, "Finding SSL certificate for " << sslBumpCertKey << " in cache");
Ssl::LocalContextStorage * ssl_ctx_cache = Ssl::TheGlobalContextStorage.getLocalStorage(port->s);
- Security::ContextPointer dynCtx = nullptr;
+ Security::ContextPtr dynCtx = nullptr;
Ssl::SSL_CTX_Pointer *cachedCtx = ssl_ctx_cache ? ssl_ctx_cache->get(sslBumpCertKey.termedBuf()) : NULL;
if (cachedCtx && (dynCtx = cachedCtx->get())) {
debugs(33, 5, "SSL certificate for " << sslBumpCertKey << " found in cache");
}
void
-ConnStateData::getSslContextDone(Security::ContextPointer sslContext, bool isNew)
+ConnStateData::getSslContextDone(Security::ContextPtr sslContext, bool isNew)
{
// Try to add generated ssl context to storage.
if (port->generateHostCertificates && isNew) {
/// \retval false otherwise
bool spliceOnError(const err_type err);
- /// Start to create dynamic SSL_CTX for host or uses static port SSL context.
+ /// Start to create dynamic Security::ContextPtr for host or uses static port SSL context.
void getSslContextStart();
/**
* Done create dynamic ssl certificate.
*
* \param[in] isNew if generated certificate is new, so we need to add this certificate to storage.
*/
- void getSslContextDone(Security::ContextPointer sslContext, bool isNew = false);
+ void getSslContextDone(Security::ContextPtr sslContext, bool isNew = false);
/// Callback function. It is called when squid receive message from ssl_crtd.
static void sslCrtdHandleReplyWrapper(void *data, const Helper::Reply &reply);
/// Proccess response from ssl_crtd.
READ_HANDLER *read_method;
WRITE_HANDLER *write_method;
Security::SessionPointer ssl;
- Security::ContextPointer dynamicSslContext; ///< cached and then freed when fd is closed
+ Security::ContextPtr dynamicSslContext; ///< cached and then freed when fd is closed
#if _SQUID_WINDOWS_
struct {
long handle;
namespace Security {
#if USE_OPENSSL
-typedef SSL_CTX* ContextPointer;
+typedef SSL_CTX* ContextPtr;
#elif USE_GNUTLS
-typedef gnutls_certificate_credentials_t ContextPointer;
+typedef gnutls_certificate_credentials_t ContextPtr;
#else
-// use void* so we can check against NULL
-typedef void* ContextPointer;
+// use void* so we can check against nullptr
+typedef void* ContextPtr;
#endif
} // namespace Security
}
// XXX: make a GnuTLS variant
-Security::ContextPointer
+Security::ContextPtr
Security::PeerOptions::createClientContext(bool setOptions)
{
- Security::ContextPointer t = nullptr;
+ Security::ContextPtr t = nullptr;
updateTlsVersionLimits();
}
void
-Security::PeerOptions::updateContextCa(Security::ContextPointer &ctx)
+Security::PeerOptions::updateContextCa(Security::ContextPtr &ctx)
{
debugs(83, 8, "Setting CA certificate locations.");
}
void
-Security::PeerOptions::updateContextCrl(Security::ContextPointer &ctx)
+Security::PeerOptions::updateContextCrl(Security::ContextPtr &ctx)
{
#if USE_OPENSSL
bool verifyCrl = false;
virtual void clear() {*this = PeerOptions();}
/// generate a security client-context from these configured options
- Security::ContextPointer createClientContext(bool setOptions);
+ Security::ContextPtr createClientContext(bool setOptions);
/// sync the context options with tls-min-version=N configuration
void updateTlsVersionLimits();
/// setup the CA details for the given context
- void updateContextCa(Security::ContextPointer &);
+ void updateContextCa(Security::ContextPtr &);
/// setup the CRL details for the given context
- void updateContextCrl(Security::ContextPointer &);
+ void updateContextCrl(Security::ContextPtr &);
/// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
virtual void dumpCfg(Packable *, const char *pfx) const;
}
void
-Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx)
+Security::ServerOptions::updateContextEecdh(Security::ContextPtr &ctx)
{
// set Elliptic Curve details into the server context
if (!eecdhCurve.isEmpty()) {
virtual void dumpCfg(Packable *, const char *pfx) const;
/// update the context with DH, EDH, EECDH settings
- void updateContextEecdh(Security::ContextPointer &);
+ void updateContextEecdh(Security::ContextPtr &);
private:
void loadDhParams();
SSL *
Ssl::PeerConnector::initializeSsl()
{
- SSL_CTX *sslContext = getSslContext();
+ Security::ContextPtr sslContext(getSslContext());
assert(sslContext);
const int fd = serverConnection()->fd;
return buf.content();
}
-SSL_CTX *
+Security::ContextPtr
Ssl::BlindPeerConnector::getSslContext()
{
if (const CachePeer *peer = serverConnection()->getPeer()) {
assert(peer->secure.encryptTransport);
- SSL_CTX *sslContext = peer->sslContext;
+ Security::ContextPtr sslContext(peer->sslContext);
return sslContext;
}
- return NULL;
+ return nullptr;
}
SSL *
}
}
-SSL_CTX *
+Security::ContextPtr
Ssl::PeekingPeerConnector::getSslContext()
{
// XXX: locate a per-server context in Security:: instead
/// \param error if not NULL the SSL negotiation was aborted with an error
virtual void noteNegotiationDone(ErrorState *error) {}
- /// Must implemented by the kid classes to return the SSL_CTX object to use
+ /// Must implemented by the kid classes to return the Security::ContextPtr object to use
/// for building the SSL objects.
- virtual SSL_CTX *getSslContext() = 0;
+ virtual Security::ContextPtr getSslContext() = 0;
/// mimics FwdState to minimize changes to FwdState::initiate/negotiateSsl
Comm::ConnectionPointer const &serverConnection() const { return serverConn; }
/// and sets the hostname to use for certificates validation
virtual SSL *initializeSsl();
- /// Return the configured SSL_CTX object
- virtual SSL_CTX *getSslContext();
+ /// Return the configured Security::ContextPtr object
+ virtual Security::ContextPtr getSslContext();
/// On error calls peerConnectFailed function, on success store the used SSL session
/// for later use
/* PeerConnector API */
virtual SSL *initializeSsl();
- virtual SSL_CTX *getSslContext();
+ virtual Security::ContextPtr getSslContext();
virtual void noteWantWrite();
virtual void noteSslNegotiationError(const int result, const int ssl_error, const int ssl_lib_error);
virtual void noteNegotiationDone(ErrorState *error);
#include <cerrno>
-static void setSessionCallbacks(SSL_CTX *ctx);
+static void setSessionCallbacks(Security::ContextPtr ctx);
Ipc::MemMap *SslSessionCache = NULL;
const char *SslSessionCacheName = "ssl_session_cache";
char buffer[256] = "";
SSL *ssl = (SSL *)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
- SSL_CTX *sslctx = SSL_get_SSL_CTX(ssl);
+ Security::ContextPtr sslctx = SSL_get_SSL_CTX(ssl);
SBuf *server = (SBuf *)SSL_get_ex_data(ssl, ssl_ex_index_server);
void *dont_verify_domain = SSL_CTX_get_ex_data(sslctx, ssl_ctx_ex_index_dont_verify_domain);
ACLChecklist *check = (ACLChecklist*)SSL_get_ex_data(ssl, ssl_ex_index_cert_error_check);
#endif
static bool
-configureSslContext(SSL_CTX *sslContext, AnyP::PortCfg &port)
+configureSslContext(Security::ContextPtr sslContext, AnyP::PortCfg &port)
{
int ssl_error;
SSL_CTX_set_options(sslContext, port.secure.parsedOptions);
return true;
}
-SSL_CTX *
+Security::ContextPtr
sslCreateServerContext(AnyP::PortCfg &port)
{
ssl_initialize();
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
- SSL_CTX *sslContext = SSL_CTX_new(TLS_server_method());
+ Security::ContextPtr sslContext(SSL_CTX_new(TLS_server_method()));
#else
- SSL_CTX *sslContext = SSL_CTX_new(SSLv23_server_method());
+ Security::ContextPtr sslContext(SSL_CTX_new(SSLv23_server_method()));
#endif
if (sslContext == NULL) {
}
#endif
-SSL_CTX *
+Security::ContextPtr
sslCreateClientContext(const char *certfile, const char *keyfile, const char *cipher, long options, long fl)
{
ssl_initialize();
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
- SSL_CTX *sslContext = SSL_CTX_new(TLS_client_method());
+ Security::ContextPtr sslContext(SSL_CTX_new(TLS_client_method()));
#else
- SSL_CTX *sslContext = SSL_CTX_new(SSLv23_client_method());
+ Security::ContextPtr sslContext(SSL_CTX_new(SSLv23_client_method()));
#endif
if (sslContext == NULL) {
return str;
}
-/// \ingroup ServerProtocolSSLInternal
/// Create SSL context and apply ssl certificate and private key to it.
-SSL_CTX *
+Security::ContextPtr
Ssl::createSSLContext(Security::CertPointer & x509, Ssl::EVP_PKEY_Pointer & pkey, AnyP::PortCfg &port)
{
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
return sslContext.release();
}
-SSL_CTX *
+Security::ContextPtr
Ssl::generateSslContextUsingPkeyAndCertFromMemory(const char * data, AnyP::PortCfg &port)
{
Security::CertPointer cert;
Ssl::EVP_PKEY_Pointer pkey;
- if (!readCertAndPrivateKeyFromMemory(cert, pkey, data))
- return NULL;
-
- if (!cert || !pkey)
- return NULL;
+ if (!readCertAndPrivateKeyFromMemory(cert, pkey, data) || !cert || !pkey)
+ return nullptr;
return createSSLContext(cert, pkey, port);
}
-SSL_CTX *
+Security::ContextPtr
Ssl::generateSslContext(CertificateProperties const &properties, AnyP::PortCfg &port)
{
Security::CertPointer cert;
Ssl::EVP_PKEY_Pointer pkey;
- if (!generateSslCertificate(cert, pkey, properties))
- return NULL;
-
- if (!cert)
- return NULL;
-
- if (!pkey)
- return NULL;
+ if (!generateSslCertificate(cert, pkey, properties) || !cert || !pkey)
+ return nullptr;
return createSSLContext(cert, pkey, port);
}
return true;
}
-bool Ssl::verifySslCertificate(SSL_CTX * sslContext, CertificateProperties const &properties)
+bool Ssl::verifySslCertificate(Security::ContextPtr sslContext, CertificateProperties const &properties)
{
// SSL_get_certificate is buggy in openssl versions 1.0.1d and 1.0.1e
- // Try to retrieve certificate directly from SSL_CTX object
+ // Try to retrieve certificate directly from Security::ContextPtr object
#if SQUID_USE_SSLGETCERTIFICATE_HACK
X509 ***pCert = (X509 ***)sslContext->cert;
X509 * cert = pCert && *pCert ? **pCert : NULL;
#endif
}
-void Ssl::addChainToSslContext(SSL_CTX *sslContext, STACK_OF(X509) *chain)
+void Ssl::addChainToSslContext(Security::ContextPtr sslContext, STACK_OF(X509) *chain)
{
if (!chain)
return;
}
SSL *
-SslCreate(SSL_CTX *sslContext, const int fd, Ssl::Bio::Type type, const char *squidCtx)
+SslCreate(Security::ContextPtr sslContext, const int fd, Ssl::Bio::Type type, const char *squidCtx)
{
if (fd < 0) {
debugs(83, DBG_IMPORTANT, "Gone connection");
}
SSL *
-Ssl::CreateClient(SSL_CTX *sslContext, const int fd, const char *squidCtx)
+Ssl::CreateClient(Security::ContextPtr sslContext, const int fd, const char *squidCtx)
{
return SslCreate(sslContext, fd, Ssl::Bio::BIO_TO_SERVER, squidCtx);
}
SSL *
-Ssl::CreateServer(SSL_CTX *sslContext, const int fd, const char *squidCtx)
+Ssl::CreateServer(Security::ContextPtr sslContext, const int fd, const char *squidCtx)
{
return SslCreate(sslContext, fd, Ssl::Bio::BIO_TO_CLIENT, squidCtx);
}
}
static void
-setSessionCallbacks(SSL_CTX *ctx)
+setSessionCallbacks(Security::ContextPtr ctx)
{
if (SslSessionCache) {
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL);
/// Creates SSL Client connection structure and initializes SSL I/O (Comm and BIO).
/// On errors, emits DBG_IMPORTANT with details and returns NULL.
-SSL *CreateClient(SSL_CTX *sslContext, const int fd, const char *squidCtx);
+SSL *CreateClient(Security::ContextPtr sslContext, const int fd, const char *squidCtx);
/// Creates SSL Server connection structure and initializes SSL I/O (Comm and BIO).
/// On errors, emits DBG_IMPORTANT with details and returns NULL.
-SSL *CreateServer(SSL_CTX *sslContext, const int fd, const char *squidCtx);
+SSL *CreateServer(Security::ContextPtr sslContext, const int fd, const char *squidCtx);
/// An SSL certificate-related error.
/// Pairs an error code with the certificate experiencing the error.
} //namespace Ssl
/// \ingroup ServerProtocolSSLAPI
-SSL_CTX *sslCreateServerContext(AnyP::PortCfg &port);
+Security::ContextPtr sslCreateServerContext(AnyP::PortCfg &port);
/// \ingroup ServerProtocolSSLAPI
-SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, const char *cipher, long options, long flags);
+Security::ContextPtr sslCreateClientContext(const char *certfile, const char *keyfile, const char *cipher, long options, long flags);
/// \ingroup ServerProtocolSSLAPI
int ssl_read_method(int, char *, int);
\ingroup ServerProtocolSSLAPI
* Decide on the kind of certificate and generate a CA- or self-signed one
*/
-SSL_CTX * generateSslContext(CertificateProperties const &properties, AnyP::PortCfg &port);
+Security::ContextPtr generateSslContext(CertificateProperties const &properties, AnyP::PortCfg &port);
/**
\ingroup ServerProtocolSSLAPI
\param properties Check if the context certificate matches the given properties
\return true if the contexts certificate is valid, false otherwise
*/
-bool verifySslCertificate(SSL_CTX * sslContext, CertificateProperties const &properties);
+bool verifySslCertificate(Security::ContextPtr sslContext, CertificateProperties const &properties);
/**
\ingroup ServerProtocolSSLAPI
* Read private key and certificate from memory and generate SSL context
* using their.
*/
-SSL_CTX * generateSslContextUsingPkeyAndCertFromMemory(const char * data, AnyP::PortCfg &port);
+Security::ContextPtr generateSslContextUsingPkeyAndCertFromMemory(const char * data, AnyP::PortCfg &port);
/**
\ingroup ServerProtocolSSLAPI
* Create an SSL context using the provided certificate and key
*/
-SSL_CTX * createSSLContext(Security::CertPointer & x509, Ssl::EVP_PKEY_Pointer & pkey, AnyP::PortCfg &port);
+Security::ContextPtr createSSLContext(Security::CertPointer & x509, Ssl::EVP_PKEY_Pointer & pkey, AnyP::PortCfg &port);
/**
\ingroup ServerProtocolSSLAPI
\ingroup ServerProtocolSSLAPI
* Adds the certificates in certList to the certificate chain of the SSL context
*/
-void addChainToSslContext(SSL_CTX *sslContext, STACK_OF(X509) *certList);
+void addChainToSslContext(Security::ContextPtr sslContext, STACK_OF(X509) *certList);
/**
\ingroup ServerProtocolSSLAPI
#if USE_OPENSSL
void ConnStateData::httpsPeeked(Comm::ConnectionPointer serverConnection) STUB
void ConnStateData::getSslContextStart() STUB
-void ConnStateData::getSslContextDone(Security::ContextPointer, bool) STUB
+void ConnStateData::getSslContextDone(Security::ContextPtr, bool) STUB
void ConnStateData::sslCrtdHandleReplyWrapper(void *data, const Helper::Reply &reply) STUB
void ConnStateData::sslCrtdHandleReply(const Helper::Reply &reply) STUB
void ConnStateData::switchToHttps(HttpRequest *request, Ssl::BumpMode bumpServerMode) STUB
#include "security/PeerOptions.h"
Security::PeerOptions Security::ProxyOutgoingConfig;
void Security::PeerOptions::parse(char const*) STUB
-Security::ContextPointer Security::PeerOptions::createClientContext(bool) STUB_RETVAL(NULL)
+Security::ContextPtr Security::PeerOptions::createClientContext(bool) STUB_RETVAL(NULL)
void Security::PeerOptions::updateTlsVersionLimits() STUB
-void Security::PeerOptions::updateContextCa(Security::ContextPointer &) STUB
-void Security::PeerOptions::updateContextCrl(Security::ContextPointer &) STUB
+void Security::PeerOptions::updateContextCa(Security::ContextPtr &) STUB
+void Security::PeerOptions::updateContextCrl(Security::ContextPtr &) STUB
void Security::PeerOptions::dumpCfg(Packable*, char const*) const STUB
long Security::PeerOptions::parseOptions() STUB_RETVAL(0)
long Security::PeerOptions::parseFlags() STUB_RETVAL(0)
//Security::ServerOptions::ServerOptions(const Security::ServerOptions &) STUB
void Security::ServerOptions::parse(const char *) STUB
void Security::ServerOptions::dumpCfg(Packable *, const char *) const STUB
-void Security::ServerOptions::updateContextEecdh(Security::ContextPointer &) STUB
+void Security::ServerOptions::updateContextEecdh(Security::ContextPtr &) STUB
bool CertError::operator == (const CertError &ce) const STUB_RETVAL(false)
bool CertError::operator != (const CertError &ce) const STUB_RETVAL(false)
} // namespace Ssl
-SSL_CTX *sslCreateServerContext(AnyP::PortCfg &port) STUB_RETVAL(NULL)
-SSL_CTX *sslCreateClientContext(const char *certfile, const char *keyfile, const char *cipher, long options, const char *flags) STUB_RETVAL(NULL)
+Security::ContextPtr sslCreateServerContext(AnyP::PortCfg &port) STUB_RETVAL(NULL)
+Security::ContextPtr sslCreateClientContext(const char *certfile, const char *keyfile, const char *cipher, long options, const char *flags) STUB_RETVAL(NULL)
int ssl_read_method(int, char *, int) STUB_RETVAL(0)
int ssl_write_method(int, const char *, int) STUB_RETVAL(0)
void ssl_shutdown_method(SSL *ssl) STUB
//GETX509ATTRIBUTE GetX509Fingerprint;
const char *BumpModeStr[] = {""};
bool generateUntrustedCert(Security::CertPointer & untrustedCert, EVP_PKEY_Pointer & untrustedPkey, Security::CertPointer const & cert, EVP_PKEY_Pointer const & pkey) STUB_RETVAL(false)
-SSL_CTX * generateSslContext(CertificateProperties const &properties, AnyP::PortCfg &port) STUB_RETVAL(NULL)
-bool verifySslCertificate(SSL_CTX * sslContext, CertificateProperties const &properties) STUB_RETVAL(false)
-SSL_CTX * generateSslContextUsingPkeyAndCertFromMemory(const char * data, AnyP::PortCfg &port) STUB_RETVAL(NULL)
-void addChainToSslContext(SSL_CTX *sslContext, STACK_OF(X509) *certList) STUB
+Security::ContextPtr generateSslContext(CertificateProperties const &properties, AnyP::PortCfg &port) STUB_RETVAL(NULL)
+bool verifySslCertificate(Security::ContextPtr sslContext, CertificateProperties const &properties) STUB_RETVAL(false)
+Security::ContextPtr generateSslContextUsingPkeyAndCertFromMemory(const char * data, AnyP::PortCfg &port) STUB_RETVAL(NULL)
+void addChainToSslContext(Security::ContextPtr sslContext, STACK_OF(X509) *certList) STUB
void readCertChainAndPrivateKeyFromFiles(Security::CertPointer & cert, EVP_PKEY_Pointer & pkey, X509_STACK_Pointer & chain, char const * certFilename, char const * keyFilename) STUB
int matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data, ASN1_STRING *cn_data)) STUB_RETVAL(0)
bool checkX509ServerValidity(X509 *cert, const char *server) STUB_RETVAL(false)