/* Security::PeerConnector API */
virtual bool initialize(Security::SessionPointer &);
virtual void noteNegotiationDone(ErrorState *error);
- virtual Security::ContextPtr getSslContext() {
- return icapService->sslContext.get();
+ virtual Security::ContextPointer getTlsContext() {
+ return icapService->sslContext;
}
private:
if (!ret)
debugs(33, 5, "Failed to set certificates to ssl object for PeekAndSplice mode");
- SSL_CTX *sslContext = SSL_get_SSL_CTX(ssl);
- Ssl::configureUnconfiguredSslContext(sslContext, signAlgorithm, *port);
+ Security::ContextPointer ctx;
+ ctx.resetAndLock(SSL_get_SSL_CTX(ssl));
+ Ssl::configureUnconfiguredSslContext(ctx, signAlgorithm, *port);
} else {
Security::ContextPointer ctx(Ssl::generateSslContextUsingPkeyAndCertFromMemory(reply_message.getBody().c_str(), *port));
getSslContextDone(ctx, true);
Security::ContextPointer *cachedCtx = ssl_ctx_cache ? ssl_ctx_cache->get(sslBumpCertKey.termedBuf()) : nullptr;
if (cachedCtx) {
debugs(33, 5, "SSL certificate for " << sslBumpCertKey << " found in cache");
- if (Ssl::verifySslCertificate(cachedCtx->get(), certProperties)) {
+ if (Ssl::verifySslCertificate(*cachedCtx, certProperties)) {
debugs(33, 5, "Cached SSL certificate for " << sslBumpCertKey << " is valid");
getSslContextDone(*cachedCtx);
return;
if (!Ssl::configureSSL(ssl, certProperties, *port))
debugs(33, 5, "Failed to set certificates to ssl object for PeekAndSplice mode");
- SSL_CTX *sslContext = SSL_get_SSL_CTX(ssl);
- Ssl::configureUnconfiguredSslContext(sslContext, certProperties.signAlgorithm, *port);
+ Security::ContextPointer ctx;
+ ctx.resetAndLock(SSL_get_SSL_CTX(ssl));
+ Ssl::configureUnconfiguredSslContext(ctx, certProperties.signAlgorithm, *port);
} else {
Security::ContextPointer dynCtx(Ssl::generateSslContext(certProperties, *port));
getSslContextDone(dynCtx, true);
if (port->generateHostCertificates && isNew) {
if (ctx && (signAlgorithm == Ssl::algSignTrusted)) {
- Ssl::chainCertificatesToSSLContext(ctx.get(), *port);
+ Ssl::chainCertificatesToSSLContext(ctx, *port);
} else if (signAlgorithm == Ssl::algSignTrusted) {
debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain because SSL context chain is invalid!");
}
CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerConnector);
-Security::ContextPtr
-Security::BlindPeerConnector::getSslContext()
+Security::ContextPointer
+Security::BlindPeerConnector::getTlsContext()
{
if (const CachePeer *peer = serverConnection()->getPeer()) {
assert(peer->secure.encryptTransport);
- return peer->sslContext.get();
+ return peer->sslContext;
}
- return ::Config.ssl_client.sslContext.get();
+ return ::Config.ssl_client.sslContext;
}
bool
/// \returns true on successful initialization
virtual bool initialize(Security::SessionPointer &);
- /// Return the configured Security::ContextPtr object
- virtual Security::ContextPtr getSslContext();
+ /// Return the configured TLS context object
+ virtual Security::ContextPointer getTlsContext();
/// On error calls peerConnectFailed().
/// On success store the used TLS session for later use.
namespace Security {
-/* IMPORTANT:
- * Due to circular dependency issues between ssl/libsslsquid.la and
- * security/libsecurity.la the code within src/ssl/ is restricted to
- * only using Security::ContextPtr, it MUST NOT use ContextPointer
- *
- * Code outside of src/ssl/ should always use Security::ContextPointer
- * when storing a reference to a context.
- */
#if USE_OPENSSL
-typedef SSL_CTX* ContextPtr;
CtoCpp1(SSL_CTX_free, SSL_CTX *);
typedef LockingPointer<SSL_CTX, SSL_CTX_free_cpp, CRYPTO_LOCK_SSL_CTX> ContextPointer;
#elif USE_GNUTLS
-typedef gnutls_certificate_credentials_t ContextPtr;
CtoCpp1(gnutls_certificate_free_credentials, gnutls_certificate_credentials_t);
typedef Security::LockingPointer<struct gnutls_certificate_credentials_st, gnutls_certificate_free_credentials_cpp, -1> ContextPointer;
#else
// use void* so we can check against nullptr
-typedef void* ContextPtr;
typedef Security::LockingPointer<void, nullptr, -1> ContextPointer;
#endif
~LockingPointer() { unlock(); }
// copy semantics are okay only when adding a lock reference
- explicit LockingPointer(const SelfType &o) : raw(nullptr) {
+ LockingPointer(const SelfType &o) : raw(nullptr) {
resetAndLock(o.get());
}
const SelfType &operator =(const SelfType &o) {
Security::PeerConnector::initialize(Security::SessionPointer &serverSession)
{
#if USE_OPENSSL
- Security::ContextPtr sslContext(getSslContext());
- assert(sslContext);
+ Security::ContextPointer ctx(getTlsContext());
+ assert(ctx);
- if (!Ssl::CreateClient(sslContext, serverConnection(), "server https start")) {
+ if (!Ssl::CreateClient(ctx, serverConnection(), "server https start")) {
ErrorState *anErr = new ErrorState(ERR_SOCKET_FAILURE, Http::scInternalServerError, request.getRaw());
anErr->xerrno = errno;
debugs(83, DBG_IMPORTANT, "Error allocating TLS handle: " << ERR_error_string(ERR_get_error(), NULL));
/// \param error if not NULL the SSL negotiation was aborted with an error
virtual void noteNegotiationDone(ErrorState *error) {}
- /// Must implemented by the kid classes to return the Security::ContextPtr object to use
+ /// Must implemented by the kid classes to return the TLS context object to use
/// for building the encryption context objects.
- virtual Security::ContextPtr getSslContext() = 0;
+ virtual Security::ContextPointer getTlsContext() = 0;
/// mimics FwdState to minimize changes to FwdState::initiate/negotiateSsl
Comm::ConnectionPointer const &serverConnection() const { return serverConn; }
Ssl::InitClientContext(t, *this, (setOptions ? parsedOptions : 0), parsedFlags);
#endif
updateContextNpn(t);
- updateContextCa(t.get());
- updateContextCrl(t.get());
+ updateContextCa(t);
+ updateContextCrl(t);
}
return t;
}
static const char *
-loadSystemTrustedCa(Security::ContextPtr &ctx)
+loadSystemTrustedCa(Security::ContextPointer &ctx)
{
#if USE_OPENSSL
- if (SSL_CTX_set_default_verify_paths(ctx) == 0)
+ if (SSL_CTX_set_default_verify_paths(ctx.get()) == 0)
return ERR_error_string(ERR_get_error(), nullptr);
#elif USE_GNUTLS
- auto x = gnutls_certificate_set_x509_system_trust(ctx);
+ auto x = gnutls_certificate_set_x509_system_trust(ctx.get());
if (x < 0)
return gnutls_strerror(x);
}
void
-Security::PeerOptions::updateContextCa(Security::ContextPtr ctx)
+Security::PeerOptions::updateContextCa(Security::ContextPointer &ctx)
{
debugs(83, 8, "Setting CA certificate locations.");
#if USE_OPENSSL
#endif
for (auto i : caFiles) {
#if USE_OPENSSL
- if (!SSL_CTX_load_verify_locations(ctx, i.c_str(), path)) {
+ if (!SSL_CTX_load_verify_locations(ctx.get(), i.c_str(), path)) {
const int ssl_error = ERR_get_error();
debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL));
}
#elif USE_GNUTLS
- if (gnutls_certificate_set_x509_trust_file(ctx, i.c_str(), GNUTLS_X509_FMT_PEM) < 0) {
+ if (gnutls_certificate_set_x509_trust_file(ctx.get(), i.c_str(), GNUTLS_X509_FMT_PEM) < 0) {
debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate location: " << i);
}
#endif
}
void
-Security::PeerOptions::updateContextCrl(Security::ContextPtr ctx)
+Security::PeerOptions::updateContextCrl(Security::ContextPointer &ctx)
{
#if USE_OPENSSL
bool verifyCrl = false;
- X509_STORE *st = SSL_CTX_get_cert_store(ctx);
+ X509_STORE *st = SSL_CTX_get_cert_store(ctx.get());
if (parsedCrl.size()) {
for (auto &i : parsedCrl) {
if (!X509_STORE_add_crl(st, i.get()))
void updateContextNpn(Security::ContextPointer &);
/// setup the CA details for the given context
- void updateContextCa(Security::ContextPtr);
+ void updateContextCa(Security::ContextPointer &);
/// setup the CRL details for the given context
- void updateContextCrl(Security::ContextPtr);
+ void updateContextCrl(Security::ContextPointer &);
/// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
virtual void dumpCfg(Packable *, const char *pfx) const;
}
void
-Security::ServerOptions::updateContextEecdh(Security::ContextPtr &ctx)
+Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx)
{
// set Elliptic Curve details into the server context
if (!eecdhCurve.isEmpty()) {
return;
}
- if (!SSL_CTX_set_tmp_ecdh(ctx, ecdh)) {
+ if (!SSL_CTX_set_tmp_ecdh(ctx.get(), ecdh)) {
auto ssl_error = ERR_get_error();
debugs(83, DBG_CRITICAL, "ERROR: Unable to set Ephemeral ECDH: " << ERR_error_string(ssl_error, NULL));
}
// set DH parameters into the server context
#if USE_OPENSSL
if (parsedDhParams.get()) {
- SSL_CTX_set_tmp_dh(ctx, parsedDhParams.get());
+ SSL_CTX_set_tmp_dh(ctx.get(), parsedDhParams.get());
}
#endif
}
bool createStaticServerContext(AnyP::PortCfg &);
/// update the context with DH, EDH, EECDH settings
- void updateContextEecdh(Security::ContextPtr &);
+ void updateContextEecdh(Security::ContextPointer &);
public:
/// TLS context to use for HTTPS accelerator or static SSL-Bump
}
for (AnyP::PortCfgPointer s = HttpPortList; s != nullptr; s = s->next) {
- if (s->secure.staticContext.get())
- Ssl::SetSessionCallbacks(s->secure.staticContext.get());
+ if (s->secure.staticContext)
+ Ssl::SetSessionCallbacks(s->secure.staticContext);
}
#endif
}
return Ssl::bumpSplice;
}
-Security::ContextPtr
-Ssl::PeekingPeerConnector::getSslContext()
+Security::ContextPointer
+Ssl::PeekingPeerConnector::getTlsContext()
{
- return ::Config.ssl_client.sslContext.get();
+ return ::Config.ssl_client.sslContext;
}
bool
/* Security::PeerConnector API */
virtual bool initialize(Security::SessionPointer &);
- virtual Security::ContextPtr getSslContext();
+ virtual Security::ContextPointer getTlsContext();
virtual void noteWantWrite();
virtual void noteNegotiationError(const int result, const int ssl_error, const int ssl_lib_error);
virtual void noteNegotiationDone(ErrorState *error);
#endif
static bool
-configureSslContext(Security::ContextPtr sslContext, AnyP::PortCfg &port)
+configureSslContext(Security::ContextPointer &ctx, AnyP::PortCfg &port)
{
int ssl_error;
- SSL_CTX_set_options(sslContext, port.secure.parsedOptions);
+ SSL_CTX_set_options(ctx.get(), port.secure.parsedOptions);
#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
- SSL_CTX_set_info_callback(sslContext, ssl_info_cb);
+ SSL_CTX_set_info_callback(ctx.get(), ssl_info_cb);
#endif
if (port.sslContextSessionId)
- SSL_CTX_set_session_id_context(sslContext, (const unsigned char *)port.sslContextSessionId, strlen(port.sslContextSessionId));
+ SSL_CTX_set_session_id_context(ctx.get(), (const unsigned char *)port.sslContextSessionId, strlen(port.sslContextSessionId));
if (port.secure.parsedFlags & SSL_FLAG_NO_SESSION_REUSE) {
- SSL_CTX_set_session_cache_mode(sslContext, SSL_SESS_CACHE_OFF);
+ SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_OFF);
}
if (Config.SSL.unclean_shutdown) {
debugs(83, 5, "Enabling quiet SSL shutdowns (RFC violation).");
- SSL_CTX_set_quiet_shutdown(sslContext, 1);
+ SSL_CTX_set_quiet_shutdown(ctx.get(), 1);
}
if (!port.secure.sslCipher.isEmpty()) {
debugs(83, 5, "Using chiper suite " << port.secure.sslCipher << ".");
- if (!SSL_CTX_set_cipher_list(sslContext, port.secure.sslCipher.c_str())) {
+ if (!SSL_CTX_set_cipher_list(ctx.get(), port.secure.sslCipher.c_str())) {
ssl_error = ERR_get_error();
debugs(83, DBG_CRITICAL, "ERROR: Failed to set SSL cipher suite '" << port.secure.sslCipher << "': " << ERR_error_string(ssl_error, NULL));
return false;
}
debugs(83, 9, "Setting RSA key generation callback.");
- SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb);
+ SSL_CTX_set_tmp_rsa_callback(ctx.get(), ssl_temp_rsa_cb);
- port.secure.updateContextEecdh(sslContext);
- port.secure.updateContextCa(sslContext);
+ port.secure.updateContextEecdh(ctx);
+ port.secure.updateContextCa(ctx);
if (port.clientCA.get()) {
ERR_clear_error();
if (STACK_OF(X509_NAME) *clientca = SSL_dup_CA_list(port.clientCA.get())) {
- SSL_CTX_set_client_CA_list(sslContext, clientca);
+ SSL_CTX_set_client_CA_list(ctx.get(), clientca);
} else {
ssl_error = ERR_get_error();
debugs(83, DBG_CRITICAL, "ERROR: Failed to dupe the client CA list: " << ERR_error_string(ssl_error, NULL));
if (port.secure.parsedFlags & SSL_FLAG_DELAYED_AUTH) {
debugs(83, 9, "Not requesting client certificates until acl processing requires one");
- SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL);
+ SSL_CTX_set_verify(ctx.get(), SSL_VERIFY_NONE, NULL);
} else {
debugs(83, 9, "Requiring client certificates.");
- SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_cb);
+ SSL_CTX_set_verify(ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_cb);
}
- port.secure.updateContextCrl(sslContext);
+ port.secure.updateContextCrl(ctx);
} else {
debugs(83, 9, "Not requiring any client certificates");
- SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL);
+ SSL_CTX_set_verify(ctx.get(), SSL_VERIFY_NONE, NULL);
}
if (port.secure.parsedFlags & SSL_FLAG_DONT_VERIFY_DOMAIN)
- SSL_CTX_set_ex_data(sslContext, ssl_ctx_ex_index_dont_verify_domain, (void *) -1);
+ SSL_CTX_set_ex_data(ctx.get(), ssl_ctx_ex_index_dont_verify_domain, (void *) -1);
- Ssl::SetSessionCallbacks(sslContext);
+ Ssl::SetSessionCallbacks(ctx);
return true;
}
bool
-Ssl::InitServerContext(const Security::ContextPointer &ctx, AnyP::PortCfg &port)
+Ssl::InitServerContext(Security::ContextPointer &ctx, AnyP::PortCfg &port)
{
if (!ctx)
return false;
return false;
}
- Ssl::addChainToSslContext(ctx.get(), port.certsToChain.get());
+ Ssl::addChainToSslContext(ctx, port.certsToChain.get());
/* Alternate code;
debugs(83, DBG_IMPORTANT, "Using certificate in " << certfile);
}
*/
- if (!configureSslContext(ctx.get(), port)) {
+ if (!configureSslContext(ctx, port)) {
debugs(83, DBG_CRITICAL, "ERROR: Configuring static SSL context");
return false;
}
if (!SSL_CTX_use_PrivateKey(ctx.get(), pkey.get()))
return Security::ContextPointer();
- if (!configureSslContext(ctx.get(), port))
+ if (!configureSslContext(ctx, port))
return Security::ContextPointer();
return ctx;
}
void
-Ssl::chainCertificatesToSSLContext(SSL_CTX *sslContext, AnyP::PortCfg &port)
+Ssl::chainCertificatesToSSLContext(Security::ContextPointer &ctx, AnyP::PortCfg &port)
{
- assert(sslContext != NULL);
+ assert(ctx);
// Add signing certificate to the certificates chain
X509 *signingCert = port.signingCert.get();
- if (SSL_CTX_add_extra_chain_cert(sslContext, signingCert)) {
+ if (SSL_CTX_add_extra_chain_cert(ctx.get(), signingCert)) {
// increase the certificate lock
CRYPTO_add(&(signingCert->references),1,CRYPTO_LOCK_X509);
} else {
const int ssl_error = ERR_get_error();
debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
}
- Ssl::addChainToSslContext(sslContext, port.certsToChain.get());
+ Ssl::addChainToSslContext(ctx, port.certsToChain.get());
}
void
-Ssl::configureUnconfiguredSslContext(SSL_CTX *sslContext, Ssl::CertSignAlgorithm signAlgorithm,AnyP::PortCfg &port)
+Ssl::configureUnconfiguredSslContext(Security::ContextPointer &ctx, Ssl::CertSignAlgorithm signAlgorithm,AnyP::PortCfg &port)
{
- if (sslContext && signAlgorithm == Ssl::algSignTrusted) {
- Ssl::chainCertificatesToSSLContext(sslContext, port);
- }
+ if (ctx && signAlgorithm == Ssl::algSignTrusted)
+ Ssl::chainCertificatesToSSLContext(ctx, port);
}
bool
return true;
}
-bool Ssl::verifySslCertificate(Security::ContextPtr sslContext, CertificateProperties const &properties)
+bool
+Ssl::verifySslCertificate(Security::ContextPointer &ctx, CertificateProperties const &properties)
{
// SSL_get_certificate is buggy in openssl versions 1.0.1d and 1.0.1e
- // Try to retrieve certificate directly from Security::ContextPtr object
+ // Try to retrieve certificate directly from Security::ContextPointer object
#if SQUID_USE_SSLGETCERTIFICATE_HACK
- X509 ***pCert = (X509 ***)sslContext->cert;
+ X509 ***pCert = (X509 ***)ctx->cert;
X509 * cert = pCert && *pCert ? **pCert : NULL;
#elif SQUID_SSLGETCERTIFICATE_BUGGY
X509 * cert = NULL;
assert(0);
#else
// Temporary ssl for getting X509 certificate from SSL_CTX.
- Security::SessionPointer ssl(SSL_new(sslContext));
+ Security::SessionPointer ssl(SSL_new(ctx.get()));
X509 * cert = SSL_get_certificate(ssl.get());
#endif
if (!cert)
#endif
}
-void Ssl::addChainToSslContext(Security::ContextPtr sslContext, STACK_OF(X509) *chain)
+void
+Ssl::addChainToSslContext(Security::ContextPointer &ctx, STACK_OF(X509) *chain)
{
if (!chain)
return;
for (int i = 0; i < sk_X509_num(chain); ++i) {
X509 *cert = sk_X509_value(chain, i);
- if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) {
+ if (SSL_CTX_add_extra_chain_cert(ctx.get(), cert)) {
// increase the certificate lock
CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509);
} else {
}
static bool
-SslCreate(Security::ContextPtr sslContext, const Comm::ConnectionPointer &conn, Ssl::Bio::Type type, const char *squidCtx)
+SslCreate(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &conn, Ssl::Bio::Type type, const char *squidCtx)
{
if (!Comm::IsConnOpen(conn)) {
debugs(83, DBG_IMPORTANT, "Gone connection");
const char *errAction = NULL;
int errCode = 0;
- if (auto ssl = SSL_new(sslContext)) {
+ if (auto ssl = SSL_new(ctx.get())) {
const int fd = conn->fd;
// without BIO, we would call SSL_set_fd(ssl, fd) instead
if (BIO *bio = Ssl::Bio::Create(fd, type)) {
}
bool
-Ssl::CreateClient(Security::ContextPtr sslContext, const Comm::ConnectionPointer &c, const char *squidCtx)
+Ssl::CreateClient(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx)
{
- return SslCreate(sslContext, c, Ssl::Bio::BIO_TO_SERVER, squidCtx);
+ return SslCreate(ctx, c, Ssl::Bio::BIO_TO_SERVER, squidCtx);
}
bool
Ssl::CreateServer(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx)
{
- return SslCreate(ctx.get(), c, Ssl::Bio::BIO_TO_CLIENT, squidCtx);
+ return SslCreate(ctx, c, Ssl::Bio::BIO_TO_CLIENT, squidCtx);
}
static int
}
void
-Ssl::SetSessionCallbacks(Security::ContextPtr ctx)
+Ssl::SetSessionCallbacks(Security::ContextPointer &ctx)
{
if (Ssl::SessionCache) {
- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL);
- SSL_CTX_sess_set_new_cb(ctx, store_session_cb);
- SSL_CTX_sess_set_remove_cb(ctx, remove_session_cb);
- SSL_CTX_sess_set_get_cb(ctx, get_session_cb);
+ SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL);
+ SSL_CTX_sess_set_new_cb(ctx.get(), store_session_cb);
+ SSL_CTX_sess_set_remove_cb(ctx.get(), remove_session_cb);
+ SSL_CTX_sess_set_get_cb(ctx.get(), get_session_cb);
}
}
/// Creates SSL Client connection structure and initializes SSL I/O (Comm and BIO).
/// On errors, emits DBG_IMPORTANT with details and returns false.
-bool CreateClient(Security::ContextPtr sslContext, const Comm::ConnectionPointer &, const char *squidCtx);
+bool CreateClient(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx);
/// Creates SSL Server connection structure and initializes SSL I/O (Comm and BIO).
/// On errors, emits DBG_IMPORTANT with details and returns false.
bool CreateServer(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx);
-void SetSessionCallbacks(Security::ContextPtr);
+void SetSessionCallbacks(Security::ContextPointer &);
extern Ipc::MemMap *SessionCache;
extern const char *SessionCacheName;
/// initialize a TLS server context with OpenSSL specific settings
-bool InitServerContext(const Security::ContextPointer &, AnyP::PortCfg &);
+bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &);
/// initialize a TLS client context with OpenSSL specific settings
bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, long options, long flags);
\param properties Check if the context certificate matches the given properties
\return true if the contexts certificate is valid, false otherwise
*/
-bool verifySslCertificate(Security::ContextPtr sslContext, CertificateProperties const &properties);
+bool verifySslCertificate(Security::ContextPointer &, CertificateProperties const &);
/**
\ingroup ServerProtocolSSLAPI
\ingroup ServerProtocolSSLAPI
* Chain signing certificate and chained certificates to an SSL Context
*/
-void chainCertificatesToSSLContext(SSL_CTX *sslContext, AnyP::PortCfg &port);
+void chainCertificatesToSSLContext(Security::ContextPointer &, AnyP::PortCfg &);
/**
\ingroup ServerProtocolSSLAPI
* Configure a previously unconfigured SSL context object.
*/
-void configureUnconfiguredSslContext(SSL_CTX *sslContext, Ssl::CertSignAlgorithm signAlgorithm,AnyP::PortCfg &port);
+void configureUnconfiguredSslContext(Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &);
/**
\ingroup ServerProtocolSSLAPI
\ingroup ServerProtocolSSLAPI
* Adds the certificates in certList to the certificate chain of the SSL context
*/
-void addChainToSslContext(Security::ContextPtr sslContext, STACK_OF(X509) *certList);
+void addChainToSslContext(Security::ContextPointer &, STACK_OF(X509) *certList);
/**
\ingroup ServerProtocolSSLAPI
namespace Security
{
bool BlindPeerConnector::initialize(Security::SessionPointer &) STUB_RETVAL(false)
-Security::ContextPtr BlindPeerConnector::getSslContext() STUB_RETVAL(nullptr)
+Security::ContextPointer BlindPeerConnector::getTlsContext() STUB_RETVAL(Security::ContextPointer())
void BlindPeerConnector::noteNegotiationDone(ErrorState *) STUB
}
void PeerConnector::noteWantRead() STUB
void PeerConnector::noteWantWrite() STUB
void PeerConnector::noteNegotiationError(const int, const int, const int) STUB
-// virtual Security::ContextPtr getSslContext() = 0;
+// virtual Security::ContextPointer getTlsContext() = 0;
void PeerConnector::bail(ErrorState *) STUB
void PeerConnector::callBack() STUB
void PeerConnector::recordNegotiationDetails() STUB
Security::ContextPointer Security::PeerOptions::createClientContext(bool) STUB_RETVAL(Security::ContextPointer())
void Security::PeerOptions::updateTlsVersionLimits() STUB
Security::ContextPointer Security::PeerOptions::createBlankContext() const STUB_RETVAL(Security::ContextPointer())
-void Security::PeerOptions::updateContextCa(Security::ContextPtr) STUB
-void Security::PeerOptions::updateContextCrl(Security::ContextPtr) STUB
+void Security::PeerOptions::updateContextCa(Security::ContextPointer &) STUB
+void Security::PeerOptions::updateContextCrl(Security::ContextPointer &) STUB
void Security::PeerOptions::dumpCfg(Packable*, char const*) const STUB
long Security::PeerOptions::parseOptions() STUB_RETVAL(0)
long Security::PeerOptions::parseFlags() STUB_RETVAL(0)
void Security::ServerOptions::dumpCfg(Packable *, const char *) const STUB
Security::ContextPointer Security::ServerOptions::createBlankContext() const STUB_RETVAL(Security::ContextPointer())
bool Security::ServerOptions::createStaticServerContext(AnyP::PortCfg &) STUB_RETVAL(false)
-void Security::ServerOptions::updateContextEecdh(Security::ContextPtr &) STUB
+void Security::ServerOptions::updateContextEecdh(Security::ContextPointer &) STUB
#include "security/Session.h"
namespace Security {
#include "ssl/support.h"
namespace Ssl
{
-bool InitServerContext(const Security::ContextPointer &, AnyP::PortCfg &) STUB_RETVAL(false)
+bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &) STUB_RETVAL(false)
bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, long, const char *) STUB_RETVAL(false)
} // namespace Ssl
int ssl_read_method(int, char *, int) STUB_RETVAL(0)
const char *BumpModeStr[] = {""};
bool generateUntrustedCert(Security::CertPointer & untrustedCert, EVP_PKEY_Pointer & untrustedPkey, Security::CertPointer const & cert, EVP_PKEY_Pointer const & pkey) STUB_RETVAL(false)
Security::ContextPointer generateSslContext(CertificateProperties const &, AnyP::PortCfg &) STUB_RETVAL(Security::ContextPointer())
-bool verifySslCertificate(Security::ContextPtr sslContext, CertificateProperties const &properties) STUB_RETVAL(false)
+bool verifySslCertificate(Security::ContextPointer &, CertificateProperties const &) STUB_RETVAL(false)
Security::ContextPointer generateSslContextUsingPkeyAndCertFromMemory(const char *, AnyP::PortCfg &) STUB_RETVAL(Security::ContextPointer())
-void addChainToSslContext(Security::ContextPtr sslContext, STACK_OF(X509) *certList) STUB
+void addChainToSslContext(Security::ContextPointer &, STACK_OF(X509) *) STUB
void readCertChainAndPrivateKeyFromFiles(Security::CertPointer & cert, EVP_PKEY_Pointer & pkey, X509_STACK_Pointer & chain, char const * certFilename, char const * keyFilename) STUB
int matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data, ASN1_STRING *cn_data)) STUB_RETVAL(0)
bool checkX509ServerValidity(X509 *cert, const char *server) STUB_RETVAL(false)
projects / thirdparty / squid.git / commitdiff
