From 3aac8c266e6931c4953eabc654db0ce687aa6685 Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Mon, 13 Jul 2015 08:21:26 -0700 Subject: [PATCH] Crypto-NG: add SessionPointer type to libsecurity API This type represents the appropriate TLS connection state session pointer for whichever crypto library is linked against. Also replaces all uses of SSL* outside of src/ssl/ with the new Pointer or 'auto'. --- src/acl/Certificate.cc | 2 +- src/adaptation/icap/Xaction.cc | 12 +++++----- src/client_side.cc | 26 +++++++++++----------- src/client_side_request.cc | 2 +- src/external_acl.cc | 16 ++++---------- src/fde.h | 9 +++----- src/security/Makefile.am | 3 ++- src/security/Session.h | 40 ++++++++++++++++++++++++++++++++++ src/security/forward.h | 1 + src/tunnel.cc | 2 +- 10 files changed, 72 insertions(+), 41 deletions(-) create mode 100644 src/security/Session.h diff --git a/src/acl/Certificate.cc b/src/acl/Certificate.cc index 30974aeaaa..8b09e10e62 100644 --- a/src/acl/Certificate.cc +++ b/src/acl/Certificate.cc @@ -28,7 +28,7 @@ ACLCertificateStrategy::match (ACLData * &data, ACLFilledChecklist *c { const int fd = checklist->fd(); const bool goodDescriptor = 0 <= fd && fd <= Biggest_FD; - SSL *ssl = goodDescriptor ? fd_table[fd].ssl : 0; + auto ssl = goodDescriptor ? fd_table[fd].ssl : nullptr; X509 *cert = SSL_get_peer_certificate(ssl); const bool res = data->match (cert); X509_free(cert); diff --git a/src/adaptation/icap/Xaction.cc b/src/adaptation/icap/Xaction.cc index 69c622eae7..66e092d903 100644 --- a/src/adaptation/icap/Xaction.cc +++ b/src/adaptation/icap/Xaction.cc @@ -60,7 +60,7 @@ public: PeerConnector(aServerConn, aCallback, timeout), icapService(service) {} /* PeerConnector API */ - virtual SSL *initializeSsl(); + virtual Security::SessionPointer initializeSsl(); virtual void noteNegotiationDone(ErrorState *error); virtual SSL_CTX *getSslContext() {return icapService->sslContext; } @@ -296,7 +296,7 @@ void Adaptation::Icap::Xaction::noteCommConnected(const CommConnectCbParams &io) #if USE_OPENSSL // If it is a reused connection and the SSL object is build // we should not negotiate new SSL session - SSL *ssl = fd_table[io.conn->fd].ssl; + auto ssl = fd_table[io.conn->fd].ssl; if (!ssl && service().cfg().secure.encryptTransport) { CbcPointer me(this); securer = asyncCall(93, 4, "Adaptation::Icap::Xaction::handleSecuredPeer", @@ -696,12 +696,12 @@ bool Adaptation::Icap::Xaction::fillVirginHttpHeader(MemBuf &) const } #if USE_OPENSSL -SSL * +Security::SessionPointer Ssl::IcapPeerConnector::initializeSsl() { - SSL *ssl = Ssl::PeerConnector::initializeSsl(); + auto ssl = Ssl::PeerConnector::initializeSsl(); if (!ssl) - return NULL; + return nullptr; assert(!icapService->cfg().secure.sslDomain.isEmpty()); SBuf *host = new SBuf(icapService->cfg().secure.sslDomain); @@ -724,7 +724,7 @@ Ssl::IcapPeerConnector::noteNegotiationDone(ErrorState *error) return; const int fd = serverConnection()->fd; - SSL *ssl = fd_table[fd].ssl; + auto ssl = fd_table[fd].ssl; assert(ssl); if (!SSL_session_reused(ssl)) { if (icapService->sslSession) diff --git a/src/client_side.cc b/src/client_side.cc index 9eff410be2..313e93315e 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -3519,16 +3519,16 @@ httpAccept(const CommAcceptCbParams ¶ms) #if USE_OPENSSL /** Create SSL connection structure and update fd_table */ -static SSL * +static Security::SessionPointer httpsCreate(const Comm::ConnectionPointer &conn, SSL_CTX *sslContext) { - if (SSL *ssl = Ssl::CreateServer(sslContext, conn->fd, "client https start")) { + if (auto ssl = Ssl::CreateServer(sslContext, conn->fd, "client https start")) { debugs(33, 5, "will negotate SSL on " << conn); return ssl; } conn->close(); - return NULL; + return nullptr; } /** @@ -3541,7 +3541,7 @@ static int Squid_SSL_accept(ConnStateData *conn, PF *callback) { int fd = conn->clientConnection->fd; - SSL *ssl = fd_table[fd].ssl; + auto ssl = fd_table[fd].ssl; int ret; errno = 0; @@ -3590,7 +3590,7 @@ clientNegotiateSSL(int fd, void *data) { ConnStateData *conn = (ConnStateData *)data; X509 *client_cert; - SSL *ssl = fd_table[fd].ssl; + auto ssl = fd_table[fd].ssl; int ret; if ((ret = Squid_SSL_accept(conn, clientNegotiateSSL)) <= 0) { @@ -3674,7 +3674,7 @@ clientNegotiateSSL(int fd, void *data) static void httpsEstablish(ConnStateData *connState, SSL_CTX *sslContext) { - SSL *ssl = NULL; + Security::SessionPointer ssl = nullptr; assert(connState); const Comm::ConnectionPointer &details = connState->clientConnection; @@ -3820,12 +3820,12 @@ ConnStateData::sslCrtdHandleReply(const Helper::Reply &reply) debugs(33, 5, HERE << "Certificate for " << sslConnectHostOrIp << " was successfully recieved from ssl_crtd"); if (sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare)) { doPeekAndSpliceStep(); - SSL *ssl = fd_table[clientConnection->fd].ssl; + auto ssl = fd_table[clientConnection->fd].ssl; bool ret = Ssl::configureSSLUsingPkeyAndCertFromMemory(ssl, reply_message.getBody().c_str(), *port); if (!ret) debugs(33, 5, "Failed to set certificates to ssl object for PeekAndSplice mode"); } else { - SSL_CTX *ctx = Ssl::generateSslContextUsingPkeyAndCertFromMemory(reply_message.getBody().c_str(), *port); + auto ctx = Ssl::generateSslContextUsingPkeyAndCertFromMemory(reply_message.getBody().c_str(), *port); getSslContextDone(ctx, true); } return; @@ -3979,7 +3979,7 @@ ConnStateData::getSslContextStart() debugs(33, 5, HERE << "Generating SSL certificate for " << certProperties.commonName); if (sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare)) { doPeekAndSpliceStep(); - SSL *ssl = fd_table[clientConnection->fd].ssl; + auto ssl = fd_table[clientConnection->fd].ssl; if (!Ssl::configureSSL(ssl, certProperties, *port)) debugs(33, 5, "Failed to set certificates to ssl object for PeekAndSplice mode"); } else { @@ -4111,7 +4111,7 @@ static void clientPeekAndSpliceSSL(int fd, void *data) { ConnStateData *conn = (ConnStateData *)data; - SSL *ssl = fd_table[fd].ssl; + auto ssl = fd_table[fd].ssl; debugs(83, 5, "Start peek and splice on FD " << fd); @@ -4173,7 +4173,7 @@ void ConnStateData::startPeekAndSplice() Comm::SetSelect(clientConnection->fd, COMM_SELECT_READ, clientPeekAndSpliceSSL, this, 0); switchedToHttps_ = true; - SSL *ssl = fd_table[clientConnection->fd].ssl; + auto ssl = fd_table[clientConnection->fd].ssl; BIO *b = SSL_get_rbio(ssl); Ssl::ClientBio *bio = static_cast(b->ptr); bio->hold(true); @@ -4215,7 +4215,7 @@ void ConnStateData::splice() { //Normally we can splice here, because we just got client hello message - SSL *ssl = fd_table[clientConnection->fd].ssl; + auto ssl = fd_table[clientConnection->fd].ssl; BIO *b = SSL_get_rbio(ssl); Ssl::ClientBio *bio = static_cast(b->ptr); MemBuf const &rbuf = bio->rBufData(); @@ -4275,7 +4275,7 @@ ConnStateData::startPeekAndSpliceDone() void ConnStateData::doPeekAndSpliceStep() { - SSL *ssl = fd_table[clientConnection->fd].ssl; + auto ssl = fd_table[clientConnection->fd].ssl; BIO *b = SSL_get_rbio(ssl); assert(b); Ssl::ClientBio *bio = static_cast(b->ptr); diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 6b37b01fde..e726b4d0da 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -174,7 +174,7 @@ ClientHttpRequest::ClientHttpRequest(ConnStateData * aConn) : #if USE_OPENSSL if (aConn->clientConnection != NULL && aConn->clientConnection->isOpen()) { - if (SSL *ssl = fd_table[aConn->clientConnection->fd].ssl) + if (auto ssl = fd_table[aConn->clientConnection->fd].ssl) al->cache.sslClientCert.reset(SSL_get_peer_certificate(ssl)); } #endif diff --git a/src/external_acl.cc b/src/external_acl.cc index be4db53290..a2a2656ced 100644 --- a/src/external_acl.cc +++ b/src/external_acl.cc @@ -1032,9 +1032,7 @@ makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data) case Format::LFT_EXT_ACL_USER_CERT_RAW: if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) { - SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl; - - if (ssl) + if (auto ssl = fd_table[ch->conn()->clientConnection->fd].ssl) str = sslGetUserCertificatePEM(ssl); } @@ -1043,9 +1041,7 @@ makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data) case Format::LFT_EXT_ACL_USER_CERTCHAIN_RAW: if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) { - SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl; - - if (ssl) + if (auto ssl = fd_table[ch->conn()->clientConnection->fd].ssl) str = sslGetUserCertificateChainPEM(ssl); } @@ -1054,9 +1050,7 @@ makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data) case Format::LFT_EXT_ACL_USER_CERT: if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) { - SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl; - - if (ssl) + if (auto ssl = fd_table[ch->conn()->clientConnection->fd].ssl) str = sslGetUserAttribute(ssl, format->header); } @@ -1065,9 +1059,7 @@ makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data) case Format::LFT_EXT_ACL_USER_CA_CERT: if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) { - SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl; - - if (ssl) + if (auto ssl = fd_table[ch->conn()->clientConnection->fd].ssl) str = sslGetCAAttribute(ssl, format->header); } diff --git a/src/fde.h b/src/fde.h index 046779a753..01afa88280 100644 --- a/src/fde.h +++ b/src/fde.h @@ -12,10 +12,7 @@ #include "comm.h" #include "defines.h" #include "ip/Address.h" - -#if HAVE_OPENSSL_SSL_H -#include -#endif +#include "security/forward.h" #if USE_DELAY_POOLS class ClientInfo; @@ -109,8 +106,8 @@ public: CommWriteStateData *wstate; /* State data for comm_write */ READ_HANDLER *read_method; WRITE_HANDLER *write_method; + Security::SessionPointer ssl; #if USE_OPENSSL - SSL *ssl; SSL_CTX *dynamicSslContext; ///< cached and then freed when fd is closed #endif #if _SQUID_WINDOWS_ @@ -161,8 +158,8 @@ private: wstate = NULL; read_method = NULL; write_method = NULL; -#if USE_OPENSSL ssl = NULL; +#if USE_OPENSSL dynamicSslContext = NULL; #endif #if _SQUID_WINDOWS_ diff --git a/src/security/Makefile.am b/src/security/Makefile.am index b483e8a2fb..475c094fd8 100644 --- a/src/security/Makefile.am +++ b/src/security/Makefile.am @@ -16,4 +16,5 @@ libsecurity_la_SOURCES= \ EncryptorAnswer.h \ forward.h \ PeerOptions.cc \ - PeerOptions.h + PeerOptions.h \ + Session.h diff --git a/src/security/Session.h b/src/security/Session.h new file mode 100644 index 0000000000..86e23b20fa --- /dev/null +++ b/src/security/Session.h @@ -0,0 +1,40 @@ +/* + * Copyright (C) 1996-2015 The Squid Software Foundation and contributors + * + * Squid software is distributed under GPLv2+ license and includes + * contributions from numerous individuals and organizations. + * Please see the COPYING and CONTRIBUTORS files for details. + */ + +#ifndef SQUID_SRC_SECURITY_SESSION_H +#define SQUID_SRC_SECURITY_SESSION_H + +#if USE_OPENSSL +#if HAVE_OPENSSL_SSL_H +#include +#endif +#endif + +#if USE_GNUTLS +#if HAVE_GNUTLS_GNUTLS_H +#include +#endif +#endif + +namespace Security { + +#if USE_OPENSSL +typedef SSL* SessionPointer; + +#elif USE_GNUTLS +typedef gnutls_session_t SessionPointer; + +#else +// use void* so we can check against NULL +typedef void* SessionPointer; +#endif + +} // namespace Security + +#endif /* SQUID_SRC_SECURITY_SESSION_H */ + diff --git a/src/security/forward.h b/src/security/forward.h index bf49f518b6..96204331da 100644 --- a/src/security/forward.h +++ b/src/security/forward.h @@ -10,6 +10,7 @@ #define SQUID_SRC_SECURITY_FORWARD_H #include "security/Context.h" +#include "security/Session.h" /* flags a SSL connection can be configured with */ #define SSL_FLAG_NO_DEFAULT_CA (1<<0) diff --git a/src/tunnel.cc b/src/tunnel.cc index 7671f9b07a..9746b9f03b 100644 --- a/src/tunnel.cc +++ b/src/tunnel.cc @@ -1252,7 +1252,7 @@ switchToTunnel(HttpRequest *request, Comm::ConnectionPointer &clientConn, Comm:: fd_table[srvConn->fd].read_method = &default_read_method; fd_table[srvConn->fd].write_method = &default_write_method; - SSL *ssl = fd_table[srvConn->fd].ssl; + auto ssl = fd_table[srvConn->fd].ssl; assert(ssl); BIO *b = SSL_get_rbio(ssl); Ssl::ServerBio *srvBio = static_cast(b->ptr); -- 2.47.2