{
const int fd = checklist->fd();
const bool goodDescriptor = 0 <= fd && fd <= Biggest_FD;
- SSL *ssl = goodDescriptor ? fd_table[fd].ssl : 0;
+ auto ssl = goodDescriptor ? fd_table[fd].ssl : nullptr;
X509 *cert = SSL_get_peer_certificate(ssl);
const bool res = data->match (cert);
X509_free(cert);
PeerConnector(aServerConn, aCallback, timeout), icapService(service) {}
/* PeerConnector API */
- virtual SSL *initializeSsl();
+ virtual Security::SessionPointer initializeSsl();
virtual void noteNegotiationDone(ErrorState *error);
virtual SSL_CTX *getSslContext() {return icapService->sslContext; }
#if USE_OPENSSL
// If it is a reused connection and the SSL object is build
// we should not negotiate new SSL session
- SSL *ssl = fd_table[io.conn->fd].ssl;
+ auto ssl = fd_table[io.conn->fd].ssl;
if (!ssl && service().cfg().secure.encryptTransport) {
CbcPointer<Adaptation::Icap::Xaction> me(this);
securer = asyncCall(93, 4, "Adaptation::Icap::Xaction::handleSecuredPeer",
}
#if USE_OPENSSL
-SSL *
+Security::SessionPointer
Ssl::IcapPeerConnector::initializeSsl()
{
- SSL *ssl = Ssl::PeerConnector::initializeSsl();
+ auto ssl = Ssl::PeerConnector::initializeSsl();
if (!ssl)
- return NULL;
+ return nullptr;
assert(!icapService->cfg().secure.sslDomain.isEmpty());
SBuf *host = new SBuf(icapService->cfg().secure.sslDomain);
return;
const int fd = serverConnection()->fd;
- SSL *ssl = fd_table[fd].ssl;
+ auto ssl = fd_table[fd].ssl;
assert(ssl);
if (!SSL_session_reused(ssl)) {
if (icapService->sslSession)
#if USE_OPENSSL
/** Create SSL connection structure and update fd_table */
-static SSL *
+static Security::SessionPointer
httpsCreate(const Comm::ConnectionPointer &conn, SSL_CTX *sslContext)
{
- if (SSL *ssl = Ssl::CreateServer(sslContext, conn->fd, "client https start")) {
+ if (auto ssl = Ssl::CreateServer(sslContext, conn->fd, "client https start")) {
debugs(33, 5, "will negotate SSL on " << conn);
return ssl;
}
conn->close();
- return NULL;
+ return nullptr;
}
/**
Squid_SSL_accept(ConnStateData *conn, PF *callback)
{
int fd = conn->clientConnection->fd;
- SSL *ssl = fd_table[fd].ssl;
+ auto ssl = fd_table[fd].ssl;
int ret;
errno = 0;
{
ConnStateData *conn = (ConnStateData *)data;
X509 *client_cert;
- SSL *ssl = fd_table[fd].ssl;
+ auto ssl = fd_table[fd].ssl;
int ret;
if ((ret = Squid_SSL_accept(conn, clientNegotiateSSL)) <= 0) {
static void
httpsEstablish(ConnStateData *connState, SSL_CTX *sslContext)
{
- SSL *ssl = NULL;
+ Security::SessionPointer ssl = nullptr;
assert(connState);
const Comm::ConnectionPointer &details = connState->clientConnection;
debugs(33, 5, HERE << "Certificate for " << sslConnectHostOrIp << " was successfully recieved from ssl_crtd");
if (sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare)) {
doPeekAndSpliceStep();
- SSL *ssl = fd_table[clientConnection->fd].ssl;
+ auto ssl = fd_table[clientConnection->fd].ssl;
bool ret = Ssl::configureSSLUsingPkeyAndCertFromMemory(ssl, reply_message.getBody().c_str(), *port);
if (!ret)
debugs(33, 5, "Failed to set certificates to ssl object for PeekAndSplice mode");
} else {
- SSL_CTX *ctx = Ssl::generateSslContextUsingPkeyAndCertFromMemory(reply_message.getBody().c_str(), *port);
+ auto ctx = Ssl::generateSslContextUsingPkeyAndCertFromMemory(reply_message.getBody().c_str(), *port);
getSslContextDone(ctx, true);
}
return;
debugs(33, 5, HERE << "Generating SSL certificate for " << certProperties.commonName);
if (sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare)) {
doPeekAndSpliceStep();
- SSL *ssl = fd_table[clientConnection->fd].ssl;
+ auto ssl = fd_table[clientConnection->fd].ssl;
if (!Ssl::configureSSL(ssl, certProperties, *port))
debugs(33, 5, "Failed to set certificates to ssl object for PeekAndSplice mode");
} else {
clientPeekAndSpliceSSL(int fd, void *data)
{
ConnStateData *conn = (ConnStateData *)data;
- SSL *ssl = fd_table[fd].ssl;
+ auto ssl = fd_table[fd].ssl;
debugs(83, 5, "Start peek and splice on FD " << fd);
Comm::SetSelect(clientConnection->fd, COMM_SELECT_READ, clientPeekAndSpliceSSL, this, 0);
switchedToHttps_ = true;
- SSL *ssl = fd_table[clientConnection->fd].ssl;
+ auto ssl = fd_table[clientConnection->fd].ssl;
BIO *b = SSL_get_rbio(ssl);
Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(b->ptr);
bio->hold(true);
ConnStateData::splice()
{
//Normally we can splice here, because we just got client hello message
- SSL *ssl = fd_table[clientConnection->fd].ssl;
+ auto ssl = fd_table[clientConnection->fd].ssl;
BIO *b = SSL_get_rbio(ssl);
Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(b->ptr);
MemBuf const &rbuf = bio->rBufData();
void
ConnStateData::doPeekAndSpliceStep()
{
- SSL *ssl = fd_table[clientConnection->fd].ssl;
+ auto ssl = fd_table[clientConnection->fd].ssl;
BIO *b = SSL_get_rbio(ssl);
assert(b);
Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(b->ptr);
#if USE_OPENSSL
if (aConn->clientConnection != NULL && aConn->clientConnection->isOpen()) {
- if (SSL *ssl = fd_table[aConn->clientConnection->fd].ssl)
+ if (auto ssl = fd_table[aConn->clientConnection->fd].ssl)
al->cache.sslClientCert.reset(SSL_get_peer_certificate(ssl));
}
#endif
case Format::LFT_EXT_ACL_USER_CERT_RAW:
if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) {
- SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl;
-
- if (ssl)
+ if (auto ssl = fd_table[ch->conn()->clientConnection->fd].ssl)
str = sslGetUserCertificatePEM(ssl);
}
case Format::LFT_EXT_ACL_USER_CERTCHAIN_RAW:
if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) {
- SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl;
-
- if (ssl)
+ if (auto ssl = fd_table[ch->conn()->clientConnection->fd].ssl)
str = sslGetUserCertificateChainPEM(ssl);
}
case Format::LFT_EXT_ACL_USER_CERT:
if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) {
- SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl;
-
- if (ssl)
+ if (auto ssl = fd_table[ch->conn()->clientConnection->fd].ssl)
str = sslGetUserAttribute(ssl, format->header);
}
case Format::LFT_EXT_ACL_USER_CA_CERT:
if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) {
- SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl;
-
- if (ssl)
+ if (auto ssl = fd_table[ch->conn()->clientConnection->fd].ssl)
str = sslGetCAAttribute(ssl, format->header);
}
#include "comm.h"
#include "defines.h"
#include "ip/Address.h"
-
-#if HAVE_OPENSSL_SSL_H
-#include <openssl/ssl.h>
-#endif
+#include "security/forward.h"
#if USE_DELAY_POOLS
class ClientInfo;
CommWriteStateData *wstate; /* State data for comm_write */
READ_HANDLER *read_method;
WRITE_HANDLER *write_method;
+ Security::SessionPointer ssl;
#if USE_OPENSSL
- SSL *ssl;
SSL_CTX *dynamicSslContext; ///< cached and then freed when fd is closed
#endif
#if _SQUID_WINDOWS_
wstate = NULL;
read_method = NULL;
write_method = NULL;
-#if USE_OPENSSL
ssl = NULL;
+#if USE_OPENSSL
dynamicSslContext = NULL;
#endif
#if _SQUID_WINDOWS_
EncryptorAnswer.h \
forward.h \
PeerOptions.cc \
- PeerOptions.h
+ PeerOptions.h \
+ Session.h
--- /dev/null
+/*
+ * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
+ *
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
+ */
+
+#ifndef SQUID_SRC_SECURITY_SESSION_H
+#define SQUID_SRC_SECURITY_SESSION_H
+
+#if USE_OPENSSL
+#if HAVE_OPENSSL_SSL_H
+#include <openssl/ssl.h>
+#endif
+#endif
+
+#if USE_GNUTLS
+#if HAVE_GNUTLS_GNUTLS_H
+#include <gnutls/gnutls.h>
+#endif
+#endif
+
+namespace Security {
+
+#if USE_OPENSSL
+typedef SSL* SessionPointer;
+
+#elif USE_GNUTLS
+typedef gnutls_session_t SessionPointer;
+
+#else
+// use void* so we can check against NULL
+typedef void* SessionPointer;
+#endif
+
+} // namespace Security
+
+#endif /* SQUID_SRC_SECURITY_SESSION_H */
+
#define SQUID_SRC_SECURITY_FORWARD_H
#include "security/Context.h"
+#include "security/Session.h"
/* flags a SSL connection can be configured with */
#define SSL_FLAG_NO_DEFAULT_CA (1<<0)
fd_table[srvConn->fd].read_method = &default_read_method;
fd_table[srvConn->fd].write_method = &default_write_method;
- SSL *ssl = fd_table[srvConn->fd].ssl;
+ auto ssl = fd_table[srvConn->fd].ssl;
assert(ssl);
BIO *b = SSL_get_rbio(ssl);
Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
projects / thirdparty / squid.git / commitdiff
