clientNegotiateSSL(int fd, void *data)
{
ConnStateData *conn = (ConnStateData *)data;
- X509 *client_cert;
- auto ssl = fd_table[fd].ssl.get();
-
int ret;
if ((ret = Squid_SSL_accept(conn, clientNegotiateSSL)) <= 0) {
if (ret < 0) // An error
return;
}
- if (Security::SessionIsResumed(fd_table[fd].ssl)) {
- debugs(83, 2, "clientNegotiateSSL: Session " << SSL_get_session(ssl) <<
- " reused on FD " << fd << " (" << fd_table[fd].ipaddr << ":" << (int)fd_table[fd].remote_port << ")");
+ Security::SessionPointer session(fd_table[fd].ssl);
+ if (Security::SessionIsResumed(session)) {
+ debugs(83, 2, "Session " << SSL_get_session(session.get()) <<
+ " reused on FD " << fd << " (" << fd_table[fd].ipaddr <<
+ ":" << (int)fd_table[fd].remote_port << ")");
} else {
if (Debug::Enabled(83, 4)) {
/* Write out the SSL session details.. actually the call below, but
* OpenSSL headers do strange typecasts confusing GCC.. */
/* PEM_write_SSL_SESSION(debug_log, SSL_get_session(ssl)); */
#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x00908000L
- PEM_ASN1_write((i2d_of_void *)i2d_SSL_SESSION, PEM_STRING_SSL_SESSION, debug_log, (char *)SSL_get_session(ssl), NULL,NULL,0,NULL,NULL);
+ PEM_ASN1_write(reinterpret_cast<i2d_of_void *>(i2d_SSL_SESSION),
+ PEM_STRING_SSL_SESSION, debug_log,
+ static_cast<char *>(SSL_get_session(session.get())),
+ nullptr, nullptr, 0, nullptr, nullptr);
#elif (ALLOW_ALWAYS_SSL_SESSION_DETAIL == 1)
* Because there are two possible usable cast, if you get an error here, try the other
* commented line. */
- PEM_ASN1_write((int(*)())i2d_SSL_SESSION, PEM_STRING_SSL_SESSION, debug_log, (char *)SSL_get_session(ssl), NULL,NULL,0,NULL,NULL);
- /* PEM_ASN1_write((int(*)(...))i2d_SSL_SESSION, PEM_STRING_SSL_SESSION, debug_log, (char *)SSL_get_session(ssl), NULL,NULL,0,NULL,NULL); */
-
+ PEM_ASN1_write((int(*)())i2d_SSL_SESSION, PEM_STRING_SSL_SESSION,
+ debug_log,
+ static_cast<char *>(SSL_get_session(session.get())),
+ nullptr, nullptr, 0, nullptr, nullptr);
+ /* PEM_ASN1_write((int(*)(...))i2d_SSL_SESSION, PEM_STRING_SSL_SESSION,
+ debug_log,
+ static_cast<char *>(SSL_get_session(session.get())),
+ nullptr, nullptr, 0, nullptr, nullptr);
+ */
#else
-
- debugs(83, 4, "With " OPENSSL_VERSION_TEXT ", session details are available only defining ALLOW_ALWAYS_SSL_SESSION_DETAIL=1 in the source." );
+ debugs(83, 4, "With " OPENSSL_VERSION_TEXT ", session details are available only defining ALLOW_ALWAYS_SSL_SESSION_DETAIL=1 in the source.");
#endif
/* Note: This does not automatically fflush the log file.. */
}
- debugs(83, 2, "clientNegotiateSSL: New session " <<
- SSL_get_session(ssl) << " on FD " << fd << " (" <<
- fd_table[fd].ipaddr << ":" << (int)fd_table[fd].remote_port <<
- ")");
+ debugs(83, 2, "New session " << SSL_get_session(session.get()) <<
+ " on FD " << fd << " (" << fd_table[fd].ipaddr << ":" <<
+ fd_table[fd].remote_port << ")");
}
// Connection established. Retrieve TLS connection parameters for logging.
- conn->clientConnection->tlsNegotiations()->retrieveNegotiatedInfo(ssl);
+ conn->clientConnection->tlsNegotiations()->retrieveNegotiatedInfo(session);
- client_cert = SSL_get_peer_certificate(ssl);
+ X509 *client_cert = SSL_get_peer_certificate(session.get());
- if (client_cert != NULL) {
- debugs(83, 3, "clientNegotiateSSL: FD " << fd <<
- " client certificate: subject: " <<
+ if (client_cert) {
+ debugs(83, 3, "FD " << fd << " client certificate: subject: " <<
X509_NAME_oneline(X509_get_subject_name(client_cert), 0, 0));
- debugs(83, 3, "clientNegotiateSSL: FD " << fd <<
- " client certificate: issuer: " <<
+ debugs(83, 3, "FD " << fd << " client certificate: issuer: " <<
X509_NAME_oneline(X509_get_issuer_name(client_cert), 0, 0));
X509_free(client_cert);
} else {
- debugs(83, 5, "clientNegotiateSSL: FD " << fd <<
- " has no certificate.");
+ debugs(83, 5, "FD " << fd << " has no certificate.");
}
#if defined(TLSEXT_NAMETYPE_host_name)
if (!conn->serverBump()) {
// when in bumpClientFirst mode, get the server name from SNI
- if (const char *server = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))
+ if (const char *server = SSL_get_servername(session.get(), TLSEXT_NAMETYPE_host_name))
conn->resetSslCommonName(server);
}
#endif
bool operator ==(const SelfType &o) const { return (o.get() == raw); }
bool operator !=(const SelfType &o) const { return (o.get() != raw); }
+ T *operator ->() const { return raw; }
+
/// Returns raw and possibly nullptr pointer
T *get() const { return raw; }
#endif
void
-Security::NegotiationHistory::retrieveNegotiatedInfo(Security::SessionPtr ssl)
+Security::NegotiationHistory::retrieveNegotiatedInfo(const Security::SessionPointer &session)
{
#if USE_OPENSSL
- if ((cipher = SSL_get_current_cipher(ssl)) != NULL) {
+ if ((cipher = SSL_get_current_cipher(session.get()))) {
// Set the negotiated version only if the cipher negotiated
// else probably the negotiation is not completed and version
// is not the final negotiated version
- version_ = toProtocolVersion(ssl->version);
+ version_ = toProtocolVersion(session->version);
}
if (Debug::Enabled(83, 5)) {
- BIO *b = SSL_get_rbio(ssl);
+ BIO *b = SSL_get_rbio(session.get());
Ssl::Bio *bio = static_cast<Ssl::Bio *>(b->ptr);
debugs(83, 5, "SSL connection info on FD " << bio->fd() <<
" SSL version " << version_ <<
NegotiationHistory();
/// Extract negotiation information from TLS object
- void retrieveNegotiatedInfo(Security::SessionPtr);
+ void retrieveNegotiatedInfo(const Security::SessionPointer &);
/// Extract information from parser stored in TlsDetails object
void retrieveParsedInfo(Security::TlsDetails::Pointer const &details);
void
Security::PeerConnector::recordNegotiationDetails()
{
-#if USE_OPENSSL
const int fd = serverConnection()->fd;
- Security::SessionPtr ssl = fd_table[fd].ssl.get();
+ Security::SessionPointer session(fd_table[fd].ssl);
// retrieve TLS server negotiated information if any
- serverConnection()->tlsNegotiations()->retrieveNegotiatedInfo(ssl);
+ serverConnection()->tlsNegotiations()->retrieveNegotiatedInfo(session);
+
+#if USE_OPENSSL
// retrieve TLS parsed extra info
- BIO *b = SSL_get_rbio(ssl);
+ BIO *b = SSL_get_rbio(session.get());
Ssl::ServerBio *bio = static_cast<Ssl::ServerBio *>(b->ptr);
if (const Security::TlsDetails::Pointer &details = bio->receivedHelloDetails())
serverConnection()->tlsNegotiations()->retrieveParsedInfo(details);
#if USE_OPENSSL
if (Ssl::TheConfig.ssl_crt_validator && useCertValidator_) {
const int fd = serverConnection()->fd;
- Security::SessionPtr ssl = fd_table[fd].ssl.get();
+ Security::SessionPointer session(fd_table[fd].ssl);
Ssl::CertValidationRequest validationRequest;
// WARNING: Currently we do not use any locking for any of the
// members of the Ssl::CertValidationRequest class. In this code the
// Ssl::CertValidationRequest object used only to pass data to
// Ssl::CertValidationHelper::submit method.
- validationRequest.ssl = ssl;
+ validationRequest.ssl = session.get();
validationRequest.domainName = request->url.host();
- if (Security::CertErrors *errs = static_cast<Security::CertErrors *>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors)))
+ if (Security::CertErrors *errs = static_cast<Security::CertErrors *>(SSL_get_ex_data(session.get(), ssl_ex_index_ssl_errors)))
// validationRequest disappears on return so no need to cbdataReference
validationRequest.errors = errs;
- else
- validationRequest.errors = NULL;
try {
debugs(83, 5, "Sending SSL certificate for validation to ssl_crtvd.");
AsyncCall::Pointer call = asyncCall(83,5, "Security::PeerConnector::sslCrtvdHandleReply", Ssl::CertValidationHelper::CbDialer(this, &Security::PeerConnector::sslCrtvdHandleReply, nullptr));
if (validationResponse->resultCode == ::Helper::Error) {
if (Security::CertErrors *errs = sslCrtvdCheckForErrors(*validationResponse, errDetails)) {
- Security::SessionPtr ssl = fd_table[serverConnection()->fd].ssl.get();
- Security::CertErrors *oldErrs = static_cast<Security::CertErrors*>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors));
- SSL_set_ex_data(ssl, ssl_ex_index_ssl_errors, (void *)errs);
+ Security::SessionPointer session(fd_table[serverConnection()->fd].ssl);
+ Security::CertErrors *oldErrs = static_cast<Security::CertErrors*>(SSL_get_ex_data(session.get(), ssl_ex_index_ssl_errors));
+ SSL_set_ex_data(session.get(), ssl_ex_index_ssl_errors, (void *)errs);
delete oldErrs;
}
} else if (validationResponse->resultCode != ::Helper::Okay)
}
Security::CertErrors *errs = nullptr;
- Security::SessionPtr ssl = fd_table[serverConnection()->fd].ssl.get();
+ Security::SessionPointer session(fd_table[serverConnection()->fd].ssl);
typedef Ssl::CertValidationResponse::RecvdErrors::const_iterator SVCRECI;
for (SVCRECI i = resp.errors.begin(); i != resp.errors.end(); ++i) {
debugs(83, 7, "Error item: " << i->error_no << " " << i->error_reason);
} else {
debugs(83, 5, "confirming SSL error " << i->error_no);
X509 *brokenCert = i->cert.get();
- Security::CertPointer peerCert(SSL_get_peer_certificate(ssl));
+ Security::CertPointer peerCert(SSL_get_peer_certificate(session.get()));
const char *aReason = i->error_reason.empty() ? NULL : i->error_reason.c_str();
errDetails = new Ssl::ErrorDetail(i->error_no, peerCert.get(), brokenCert, aReason);
}
#if USE_OPENSSL
const int fd = serverConnection()->fd;
unsigned long ssl_lib_error = SSL_ERROR_NONE;
- Security::SessionPtr ssl = fd_table[fd].ssl.get();
- const int ssl_error = SSL_get_error(ssl, ret);
+ Security::SessionPointer session(fd_table[fd].ssl);
+ const int ssl_error = SSL_get_error(session.get(), ret);
switch (ssl_error) {
case SSL_ERROR_WANT_READ:
{
const int fd = serverConnection()->fd;
#if USE_OPENSSL
- Security::SessionPtr ssl = fd_table[fd].ssl.get();
- BIO *b = SSL_get_rbio(ssl);
+ Security::SessionPointer session(fd_table[fd].ssl);
+ BIO *b = SSL_get_rbio(session.get());
Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
if (srvBio->holdRead()) {
if (srvBio->gotHello()) {
anErr = new ErrorState(ERR_SECURE_CONNECT_FAIL, Http::scServiceUnavailable, NULL);
anErr->xerrno = sysErrNo;
- Security::SessionPtr ssl = fd_table[fd].ssl.get();
- Ssl::ErrorDetail *errFromFailure = static_cast<Ssl::ErrorDetail *>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail));
+ Security::SessionPointer session(fd_table[fd].ssl);
+ Ssl::ErrorDetail *errFromFailure = static_cast<Ssl::ErrorDetail *>(SSL_get_ex_data(session.get(), ssl_ex_index_ssl_error_detail));
if (errFromFailure != NULL) {
// The errFromFailure is attached to the ssl object
// and will be released when ssl object destroyed.
anErr->detail = new Ssl::ErrorDetail(*errFromFailure);
} else {
// server_cert can be NULL here
- X509 *server_cert = SSL_get_peer_certificate(ssl);
+ X509 *server_cert = SSL_get_peer_certificate(session.get());
anErr->detail = new Ssl::ErrorDetail(SQUID_ERR_SSL_HANDSHAKE, server_cert, NULL);
X509_free(server_cert);
}
// get ServerBio from SSL object
const int fd = serverConnection()->fd;
- Security::SessionPtr ssl = fd_table[fd].ssl.get();
- BIO *b = SSL_get_rbio(ssl);
+ Security::SessionPointer session(fd_table[fd].ssl);
+ BIO *b = SSL_get_rbio(session.get());
Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
// Parse Certificate. Assume that it is in DER format.
if (const char *issuerUri = Ssl::uriOfIssuerIfMissing(cert, certsList)) {
urlsOfMissingCerts.push(SBuf(issuerUri));
}
- Ssl::SSL_add_untrusted_cert(ssl, cert);
+ Ssl::SSL_add_untrusted_cert(session.get(), cert);
}
// Check if there are URIs to download from and if yes start downloading
return false;
const int fd = serverConnection()->fd;
- Security::SessionPtr ssl = fd_table[fd].ssl.get();
- BIO *b = SSL_get_rbio(ssl);
+ Security::SessionPointer session(fd_table[fd].ssl);
+ BIO *b = SSL_get_rbio(session.get());
Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
const Security::CertList &certs = srvBio->serverCertificatesIfAny();
namespace Security {
#if USE_OPENSSL
-typedef SSL* SessionPtr;
CtoCpp1(SSL_free, SSL *);
typedef LockingPointer<SSL, Security::SSL_free_cpp, CRYPTO_LOCK_SSL> SessionPointer;
typedef std::unique_ptr<SSL_SESSION, HardFun<void, SSL_SESSION*, &SSL_SESSION_free>> SessionStatePointer;
#elif USE_GNUTLS
-typedef gnutls_session_t SessionPtr;
// Locks can be implemented attaching locks counter to gnutls_session_t
// objects using the gnutls_session_set_ptr()/gnutls_session_get_ptr ()
// library functions
#else
// use void* so we can check against NULL
-typedef void* SessionPtr;
-CtoCpp1(xfree, SessionPtr);
+CtoCpp1(xfree, void *);
typedef LockingPointer<void, xfree_cpp, -1> SessionPointer;
typedef std::unique_ptr<int> SessionStatePointer;
acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpStare));
acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpClientFirst));
acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpServerFirst));
- Security::SessionPtr ssl = fd_table[serverConn->fd].ssl.get();
- BIO *b = SSL_get_rbio(ssl);
+ Security::SessionPointer session(fd_table[serverConn->fd].ssl);
+ BIO *b = SSL_get_rbio(session.get());
Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
if (!srvBio->canSplice())
acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpSplice));
void
Ssl::PeekingPeerConnector::checkForPeekAndSpliceMatched(const Ssl::BumpMode action)
{
- Security::SessionPtr ssl = fd_table[serverConn->fd].ssl.get();
- BIO *b = SSL_get_rbio(ssl);
+ Security::SessionPointer session(fd_table[serverConn->fd].ssl);
+ BIO *b = SSL_get_rbio(session.get());
Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
debugs(83,5, "Will check for peek and splice on FD " << serverConn->fd);
void
Ssl::PeekingPeerConnector::noteNegotiationDone(ErrorState *error)
{
- Security::SessionPtr ssl = fd_table[serverConnection()->fd].ssl.get();
-
// Check the list error with
- if (!request->clientConnectionManager.valid() || ! ssl)
+ if (!request->clientConnectionManager.valid() || !fd_table[serverConnection()->fd].ssl)
return;
// remember the server certificate from the ErrorDetail object
Ssl::PeekingPeerConnector::noteWantWrite()
{
const int fd = serverConnection()->fd;
- Security::SessionPtr ssl = fd_table[fd].ssl.get();
- BIO *b = SSL_get_rbio(ssl);
+ Security::SessionPointer session(fd_table[fd].ssl);
+ BIO *b = SSL_get_rbio(session.get());
Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
if ((srvBio->bumpMode() == Ssl::bumpPeek || srvBio->bumpMode() == Ssl::bumpStare) && srvBio->holdWrite()) {
Ssl::PeekingPeerConnector::noteNegotiationError(const int result, const int ssl_error, const int ssl_lib_error)
{
const int fd = serverConnection()->fd;
- Security::SessionPtr ssl = fd_table[fd].ssl.get();
- BIO *b = SSL_get_rbio(ssl);
+ Security::SessionPointer session(fd_table[fd].ssl);
+ BIO *b = SSL_get_rbio(session.get());
Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
// In Peek mode, the ClientHello message sent to the server. If the
// thus hiding them.
// Abort if no certificate found probably because of malformed or
// unsupported server Hello message (TODO: make configurable).
- if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) &&
+ if (!SSL_get_ex_data(session.get(), ssl_ex_index_ssl_error_detail) &&
(srvBio->bumpMode() == Ssl::bumpPeek || srvBio->bumpMode() == Ssl::bumpStare) && srvBio->holdWrite()) {
- Security::CertPointer serverCert(SSL_get_peer_certificate(ssl));
- if (serverCert.get()) {
+ Security::CertPointer serverCert(SSL_get_peer_certificate(session.get()));
+ if (serverCert) {
debugs(81, 3, "Error (" << ERR_error_string(ssl_lib_error, NULL) << ") but, hold write on SSL connection on FD " << fd);
checkForPeekAndSplice();
return;
if (ConnStateData *csd = request->clientConnectionManager.valid()) {
const int fd = serverConnection()->fd;
- Security::SessionPtr ssl = fd_table[fd].ssl.get();
- Security::CertPointer serverCert(SSL_get_peer_certificate(ssl));
- if (!serverCert.get())
+ Security::SessionPointer session(fd_table[fd].ssl);
+ Security::CertPointer serverCert(SSL_get_peer_certificate(session.get()));
+ if (!serverCert)
return;
serverCertificateHandled = true;
serverCert.resetAndLock(serverBump->serverCert.get());
else {
const int fd = serverConnection()->fd;
- Security::SessionPtr ssl = fd_table[fd].ssl.get();
- serverCert.resetWithoutLocking(SSL_get_peer_certificate(ssl));
+ Security::SessionPointer session(fd_table[fd].ssl);
+ serverCert.resetWithoutLocking(SSL_get_peer_certificate(session.get()));
}
- if (serverCert.get()) {
+ if (serverCert) {
csd->resetSslCommonName(Ssl::CommonHostName(serverCert.get()));
debugs(83, 5, "HTTPS server CN: " << csd->sslCommonName() <<
" bumped: " << *serverConnection());
#include "security/NegotiationHistory.h"
Security::NegotiationHistory::NegotiationHistory() STUB
-void Security::NegotiationHistory::retrieveNegotiatedInfo(Security::SessionPtr) STUB
+void Security::NegotiationHistory::retrieveNegotiatedInfo(const Security::SessionPointer &) STUB
void Security::NegotiationHistory::retrieveParsedInfo(Security::TlsDetails::Pointer const &) STUB
const char *Security::NegotiationHistory::cipherName() const STUB
const char *Security::NegotiationHistory::printTlsVersion(AnyP::ProtocolVersion const &v) const STUB
projects / thirdparty / squid.git / commitdiff
