Ssl::loadSquidUntrusted(Config.ssl_client.foreignIntermediateCertsPath);
#endif
- if (Security::ProxyOutgoingConfig.encryptTransport) {
+ if (Security::ProxyOutgoingConfig().encryptTransport) {
debugs(3, 2, "initializing https:// proxy context");
- const auto rawSslContext = Security::ProxyOutgoingConfig.createClientContext(false);
+ const auto rawSslContext = Security::ProxyOutgoingConfig().createClientContext(false);
Config.ssl_client.sslContext_ = rawSslContext ? new Security::ContextPointer(rawSslContext) : nullptr;
if (!Config.ssl_client.sslContext_) {
#if USE_OPENSSL
#if USE_OPENSSL
Ssl::useSquidUntrusted(Config.ssl_client.sslContext_->get());
#endif
- Config.ssl_client.defaultPeerContext = new Security::FuturePeerContext(Security::ProxyOutgoingConfig, *Config.ssl_client.sslContext_);
+ Config.ssl_client.defaultPeerContext = new Security::FuturePeerContext(Security::ProxyOutgoingConfig(), *Config.ssl_client.sslContext_);
}
for (const auto &p: CurrentCachePeers()) {
throw TextException(ToSBuf("missing required parameter for obsolete directive: ", name), Here());
tmp.append(token, strlen(token));
- Security::ProxyOutgoingConfig.parse(tmp.c_str());
+ Security::ProxyOutgoingConfig().parse(tmp.c_str());
}
}
IFDEF: HAVE_LIBGNUTLS||USE_OPENSSL
TYPE: securePeerOptions
DEFAULT: min-version=1.0
-LOC: Security::ProxyOutgoingConfig
+LOC: Security::ProxyOutgoingConfig()
DOC_START
disable Do not support https:// URLs.
ConnStateData::getTlsContextFromCache(const SBuf &cacheKey, const Ssl::CertificateProperties &certProperties)
{
debugs(33, 5, "Finding SSL certificate for " << cacheKey << " in cache");
- Ssl::LocalContextStorage * ssl_ctx_cache = Ssl::TheGlobalContextStorage.getLocalStorage(port->s);
+ const auto ssl_ctx_cache = Ssl::TheGlobalContextStorage().getLocalStorage(port->s);
if (const auto ctx = ssl_ctx_cache ? ssl_ctx_cache->get(cacheKey) : nullptr) {
if (Ssl::verifySslCertificate(*ctx, certProperties)) {
debugs(33, 5, "Cached SSL certificate for " << certProperties.commonName << " is valid");
void
ConnStateData::storeTlsContextToCache(const SBuf &cacheKey, Security::ContextPointer &ctx)
{
- Ssl::LocalContextStorage *ssl_ctx_cache = Ssl::TheGlobalContextStorage.getLocalStorage(port->s);
+ const auto ssl_ctx_cache = Ssl::TheGlobalContextStorage().getLocalStorage(port->s);
if (!ssl_ctx_cache || !ssl_ctx_cache->add(cacheKey, ctx)) {
// If it is not in storage delete after using. Else storage deleted it.
fd_table[clientConnection->fd].dynamicTlsContext = ctx;
}
if (s->flags.tunnelSslBumping) {
// Create ssl_ctx cache for this port.
- Ssl::TheGlobalContextStorage.addLocalStorage(s->s, s->secure.dynamicCertMemCacheSize);
+ Ssl::TheGlobalContextStorage().addLocalStorage(s->s, s->secure.dynamicCertMemCacheSize);
}
}
#endif
htcpClosePorts();
#endif
#if USE_OPENSSL
- Ssl::TheGlobalContextStorage.reconfigureStart();
+ Ssl::TheGlobalContextStorage().reconfigureStart();
#endif
#if USE_AUTH
authenticateReset();
#include <bitset>
-Security::PeerOptions Security::ProxyOutgoingConfig;
+Security::PeerOptions &
+Security::ProxyOutgoingConfig()
+{
+ static const auto peerOptions = new PeerOptions();
+ return *peerOptions;
+}
Security::PeerOptions::PeerOptions()
{
};
/// configuration options for DIRECT server access
-extern PeerOptions ProxyOutgoingConfig;
+PeerOptions &ProxyOutgoingConfig();
} // namespace Security
// parse the tls_outgoing_options directive
void parse_securePeerOptions(Security::PeerOptions *);
-#define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear()
+#define free_securePeerOptions(x) Security::ProxyOutgoingConfig().clear()
#define dump_securePeerOptions(e,n,x) do { PackableStream os_(*(e)); os_ << n; (x).dumpCfg(os_,""); os_ << '\n'; } while (false)
#endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */
stream << "Port" << delimiter << "Max mem(KB)" << delimiter << "Cert number" << delimiter << "KB/cert" << delimiter << "Mem used(KB)" << delimiter << "Mem free(KB)" << endString;
// Add info for each port.
- for (std::map<Ip::Address, LocalContextStorage *>::iterator i = TheGlobalContextStorage.storage.begin(); i != TheGlobalContextStorage.storage.end(); ++i) {
- stream << i->first << delimiter;
- LocalContextStorage & ssl_store_policy(*(i->second));
+ for (const auto &i: TheGlobalContextStorage().storage) {
+ stream << i.first << delimiter;
+ const auto &ssl_store_policy = *i.second;
const auto memoryPerEntry = ssl_store_policy.entries() ?
ssl_store_policy.memoryUsed() / ssl_store_policy.entries() : 0;
stream << ssl_store_policy.memLimit() / 1024 << delimiter;
}
}
-Ssl::GlobalContextStorage Ssl::TheGlobalContextStorage;
+Ssl::GlobalContextStorage &
+Ssl::TheGlobalContextStorage()
+{
+ static const auto storage = new GlobalContextStorage();
+ return *storage;
+}
};
/// Global cache for store all SSL server certificates.
-extern GlobalContextStorage TheGlobalContextStorage;
+GlobalContextStorage &TheGlobalContextStorage();
} //namespace Ssl
#endif // USE_OPENSSL
static void HandleGeneratorReply(void *data, const ::Helper::Reply &reply);
+/// pending Ssl::Helper requests (to all certificate generator helpers combined)
+static GeneratorRequests &
+TheGeneratorRequests()
+{
+ static auto generatorRequests = new GeneratorRequests();
+ return *generatorRequests;
+}
+
} // namespace Ssl
CBDATA_NAMESPACED_CLASS_INIT(Ssl, GeneratorRequest);
return os << "crtGenRq" << gr.query.id.value << "/" << gr.requestors.size();
}
-/// pending Ssl::Helper requests (to all certificate generator helpers combined)
-static Ssl::GeneratorRequests TheGeneratorRequests;
-
Helper::Client::Pointer Ssl::Helper::ssl_crtd;
void Ssl::Helper::Init()
SBuf rawMessage(message.compose().c_str()); // XXX: helpers cannot use SBuf
rawMessage.append("\n", 1);
- const auto pending = TheGeneratorRequests.find(rawMessage);
- if (pending != TheGeneratorRequests.end()) {
+ const auto pending = TheGeneratorRequests().find(rawMessage);
+ if (pending != TheGeneratorRequests().end()) {
pending->second->emplace(callback, data);
debugs(83, 5, "collapsed request from " << data << " onto " << *pending->second);
return;
GeneratorRequest *request = new GeneratorRequest;
request->query = rawMessage;
request->emplace(callback, data);
- TheGeneratorRequests.emplace(request->query, request);
+ TheGeneratorRequests().emplace(request->query, request);
debugs(83, 5, "request from " << data << " as " << *request);
// ssl_crtd becomes nil if Squid is reconfigured without SslBump or
// certificate generation disabled in the new configuration
{
const std::unique_ptr<Ssl::GeneratorRequest> request(static_cast<Ssl::GeneratorRequest*>(data));
assert(request);
- const auto erased = TheGeneratorRequests.erase(request->query);
+ const auto erased = TheGeneratorRequests().erase(request->query);
assert(erased);
for (auto &requestor: request->requestors) {
// TODO: Move ssl_ex_index_* global variables from global.cc here.
static int ssl_ex_index_verify_callback_parameters = -1;
-static Ssl::CertsIndexedList SquidUntrustedCerts;
-
const EVP_MD *Ssl::DefaultSignHash = nullptr;
std::vector<const char *> Ssl::BumpModeStr = {
AnyP::Host needle_; ///< a name we are looking for
};
+static CertsIndexedList &
+SquidUntrustedCerts()
+{
+ static auto untrustedCerts = new CertsIndexedList();
+ return *untrustedCerts;
+}
+
} // namespace Ssl
bool
}
// check untrusted certificates
- if (const auto issuer = findCertIssuerFast(SquidUntrustedCerts, cert)) {
+ if (const auto issuer = findCertIssuerFast(SquidUntrustedCerts(), cert)) {
X509_up_ref(issuer);
return Security::CertPointer(issuer);
}
completeIssuers(X509_STORE_CTX *ctx, STACK_OF(X509) &untrustedCerts)
{
debugs(83, 2, "completing " << sk_X509_num(&untrustedCerts) <<
- " OpenSSL untrusted certs using " << SquidUntrustedCerts.size() <<
+ " OpenSSL untrusted certs using " << Ssl::SquidUntrustedCerts().size() <<
" configured untrusted certificates");
const X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
// If the local untrusted certificates internal database is used
// run completeIssuers to add missing certificates if possible.
- if (SquidUntrustedCerts.size() > 0)
+ if (Ssl::SquidUntrustedCerts().size() > 0)
completeIssuers(ctx, *untrustedCerts);
X509_STORE_CTX_set0_untrusted(ctx, untrustedCerts.get()); // No locking/unlocking, just sets ctx->untrusted
bool
Ssl::loadSquidUntrusted(const char *path)
{
- return Ssl::loadCerts(path, SquidUntrustedCerts);
+ return Ssl::loadCerts(path, SquidUntrustedCerts());
}
void
Ssl::unloadSquidUntrusted()
{
- if (SquidUntrustedCerts.size()) {
- for (Ssl::CertsIndexedList::iterator it = SquidUntrustedCerts.begin(); it != SquidUntrustedCerts.end(); ++it) {
- X509_free(it->second);
+ if (SquidUntrustedCerts().size()) {
+ for (const auto &i: SquidUntrustedCerts()) {
+ X509_free(i.second);
}
- SquidUntrustedCerts.clear();
+ SquidUntrustedCerts().clear();
}
}
}
#include "security/PeerOptions.h"
-Security::PeerOptions Security::ProxyOutgoingConfig;
+Security::PeerOptions &Security::ProxyOutgoingConfig() STUB_RETREF(Security::PeerOptions)
Security::PeerOptions::PeerOptions() {
#if USE_OPENSSL
Ssl::LocalContextStorage *Ssl::GlobalContextStorage::getLocalStorage(Ip::Address const &)
{ fatal(STUB_API " required"); static LocalContextStorage v(0); return &v; }
void Ssl::GlobalContextStorage::reconfigureStart() STUB
-//Ssl::GlobalContextStorage Ssl::TheGlobalContextStorage;
#include "ssl/ErrorDetail.h"
#include "ssl/support.h"
projects / thirdparty / squid.git / commitdiff
