From: Amos Jeffries Date: Thu, 22 Sep 2016 14:21:12 +0000 (+1200) Subject: Cleanup: Security::ContextPtr removal, pt4 X-Git-Tag: SQUID_4_0_15~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b23f5f9c894342f6dfbab74fd38ce9e4cfc03821;p=thirdparty%2Fsquid.git Cleanup: Security::ContextPtr removal, pt4 Remove final uses of ContextPtr by passing ContextPointer& around instead of raw-pointers. --- diff --git a/src/adaptation/icap/Xaction.cc b/src/adaptation/icap/Xaction.cc index 7b8ed668c4..4734fc9d9e 100644 --- a/src/adaptation/icap/Xaction.cc +++ b/src/adaptation/icap/Xaction.cc @@ -64,8 +64,8 @@ public: /* Security::PeerConnector API */ virtual bool initialize(Security::SessionPointer &); virtual void noteNegotiationDone(ErrorState *error); - virtual Security::ContextPtr getSslContext() { - return icapService->sslContext.get(); + virtual Security::ContextPointer getTlsContext() { + return icapService->sslContext; } private: diff --git a/src/client_side.cc b/src/client_side.cc index 6647c84aaf..4987fc407a 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -2880,8 +2880,9 @@ ConnStateData::sslCrtdHandleReply(const Helper::Reply &reply) if (!ret) debugs(33, 5, "Failed to set certificates to ssl object for PeekAndSplice mode"); - SSL_CTX *sslContext = SSL_get_SSL_CTX(ssl); - Ssl::configureUnconfiguredSslContext(sslContext, signAlgorithm, *port); + Security::ContextPointer ctx; + ctx.resetAndLock(SSL_get_SSL_CTX(ssl)); + Ssl::configureUnconfiguredSslContext(ctx, signAlgorithm, *port); } else { Security::ContextPointer ctx(Ssl::generateSslContextUsingPkeyAndCertFromMemory(reply_message.getBody().c_str(), *port)); getSslContextDone(ctx, true); @@ -3007,7 +3008,7 @@ ConnStateData::getSslContextStart() Security::ContextPointer *cachedCtx = ssl_ctx_cache ? ssl_ctx_cache->get(sslBumpCertKey.termedBuf()) : nullptr; if (cachedCtx) { debugs(33, 5, "SSL certificate for " << sslBumpCertKey << " found in cache"); - if (Ssl::verifySslCertificate(cachedCtx->get(), certProperties)) { + if (Ssl::verifySslCertificate(*cachedCtx, certProperties)) { debugs(33, 5, "Cached SSL certificate for " << sslBumpCertKey << " is valid"); getSslContextDone(*cachedCtx); return; @@ -3046,8 +3047,9 @@ ConnStateData::getSslContextStart() if (!Ssl::configureSSL(ssl, certProperties, *port)) debugs(33, 5, "Failed to set certificates to ssl object for PeekAndSplice mode"); - SSL_CTX *sslContext = SSL_get_SSL_CTX(ssl); - Ssl::configureUnconfiguredSslContext(sslContext, certProperties.signAlgorithm, *port); + Security::ContextPointer ctx; + ctx.resetAndLock(SSL_get_SSL_CTX(ssl)); + Ssl::configureUnconfiguredSslContext(ctx, certProperties.signAlgorithm, *port); } else { Security::ContextPointer dynCtx(Ssl::generateSslContext(certProperties, *port)); getSslContextDone(dynCtx, true); @@ -3066,7 +3068,7 @@ ConnStateData::getSslContextDone(Security::ContextPointer &ctx, bool isNew) if (port->generateHostCertificates && isNew) { if (ctx && (signAlgorithm == Ssl::algSignTrusted)) { - Ssl::chainCertificatesToSSLContext(ctx.get(), *port); + Ssl::chainCertificatesToSSLContext(ctx, *port); } else if (signAlgorithm == Ssl::algSignTrusted) { debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain because SSL context chain is invalid!"); } diff --git a/src/security/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc index 136f5a23ee..1a1a3a3bfc 100644 --- a/src/security/BlindPeerConnector.cc +++ b/src/security/BlindPeerConnector.cc @@ -19,14 +19,14 @@ CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerConnector); -Security::ContextPtr -Security::BlindPeerConnector::getSslContext() +Security::ContextPointer +Security::BlindPeerConnector::getTlsContext() { if (const CachePeer *peer = serverConnection()->getPeer()) { assert(peer->secure.encryptTransport); - return peer->sslContext.get(); + return peer->sslContext; } - return ::Config.ssl_client.sslContext.get(); + return ::Config.ssl_client.sslContext; } bool diff --git a/src/security/BlindPeerConnector.h b/src/security/BlindPeerConnector.h index 4db37a03f8..5e08cc9f9a 100644 --- a/src/security/BlindPeerConnector.h +++ b/src/security/BlindPeerConnector.h @@ -39,8 +39,8 @@ public: /// \returns true on successful initialization virtual bool initialize(Security::SessionPointer &); - /// Return the configured Security::ContextPtr object - virtual Security::ContextPtr getSslContext(); + /// Return the configured TLS context object + virtual Security::ContextPointer getTlsContext(); /// On error calls peerConnectFailed(). /// On success store the used TLS session for later use. diff --git a/src/security/Context.h b/src/security/Context.h index b1a3a27f85..f1343c5e0c 100644 --- a/src/security/Context.h +++ b/src/security/Context.h @@ -24,27 +24,16 @@ namespace Security { -/* IMPORTANT: - * Due to circular dependency issues between ssl/libsslsquid.la and - * security/libsecurity.la the code within src/ssl/ is restricted to - * only using Security::ContextPtr, it MUST NOT use ContextPointer - * - * Code outside of src/ssl/ should always use Security::ContextPointer - * when storing a reference to a context. - */ #if USE_OPENSSL -typedef SSL_CTX* ContextPtr; CtoCpp1(SSL_CTX_free, SSL_CTX *); typedef LockingPointer ContextPointer; #elif USE_GNUTLS -typedef gnutls_certificate_credentials_t ContextPtr; CtoCpp1(gnutls_certificate_free_credentials, gnutls_certificate_credentials_t); typedef Security::LockingPointer ContextPointer; #else // use void* so we can check against nullptr -typedef void* ContextPtr; typedef Security::LockingPointer ContextPointer; #endif diff --git a/src/security/LockingPointer.h b/src/security/LockingPointer.h index 8ed9b34932..26127b63e1 100644 --- a/src/security/LockingPointer.h +++ b/src/security/LockingPointer.h @@ -66,7 +66,7 @@ public: ~LockingPointer() { unlock(); } // copy semantics are okay only when adding a lock reference - explicit LockingPointer(const SelfType &o) : raw(nullptr) { + LockingPointer(const SelfType &o) : raw(nullptr) { resetAndLock(o.get()); } const SelfType &operator =(const SelfType &o) { diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc index 977369a9fb..a964f7909e 100644 --- a/src/security/PeerConnector.cc +++ b/src/security/PeerConnector.cc @@ -100,10 +100,10 @@ bool Security::PeerConnector::initialize(Security::SessionPointer &serverSession) { #if USE_OPENSSL - Security::ContextPtr sslContext(getSslContext()); - assert(sslContext); + Security::ContextPointer ctx(getTlsContext()); + assert(ctx); - if (!Ssl::CreateClient(sslContext, serverConnection(), "server https start")) { + if (!Ssl::CreateClient(ctx, serverConnection(), "server https start")) { ErrorState *anErr = new ErrorState(ERR_SOCKET_FAILURE, Http::scInternalServerError, request.getRaw()); anErr->xerrno = errno; debugs(83, DBG_IMPORTANT, "Error allocating TLS handle: " << ERR_error_string(ERR_get_error(), NULL)); diff --git a/src/security/PeerConnector.h b/src/security/PeerConnector.h index 618c23ed42..95ffb3328b 100644 --- a/src/security/PeerConnector.h +++ b/src/security/PeerConnector.h @@ -155,9 +155,9 @@ protected: /// \param error if not NULL the SSL negotiation was aborted with an error virtual void noteNegotiationDone(ErrorState *error) {} - /// Must implemented by the kid classes to return the Security::ContextPtr object to use + /// Must implemented by the kid classes to return the TLS context object to use /// for building the encryption context objects. - virtual Security::ContextPtr getSslContext() = 0; + virtual Security::ContextPointer getTlsContext() = 0; /// mimics FwdState to minimize changes to FwdState::initiate/negotiateSsl Comm::ConnectionPointer const &serverConnection() const { return serverConn; } diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc index 53247611f8..0e07706fb2 100644 --- a/src/security/PeerOptions.cc +++ b/src/security/PeerOptions.cc @@ -261,8 +261,8 @@ Security::PeerOptions::createClientContext(bool setOptions) Ssl::InitClientContext(t, *this, (setOptions ? parsedOptions : 0), parsedFlags); #endif updateContextNpn(t); - updateContextCa(t.get()); - updateContextCrl(t.get()); + updateContextCa(t); + updateContextCrl(t); } return t; @@ -570,14 +570,14 @@ Security::PeerOptions::updateContextNpn(Security::ContextPointer &ctx) } static const char * -loadSystemTrustedCa(Security::ContextPtr &ctx) +loadSystemTrustedCa(Security::ContextPointer &ctx) { #if USE_OPENSSL - if (SSL_CTX_set_default_verify_paths(ctx) == 0) + if (SSL_CTX_set_default_verify_paths(ctx.get()) == 0) return ERR_error_string(ERR_get_error(), nullptr); #elif USE_GNUTLS - auto x = gnutls_certificate_set_x509_system_trust(ctx); + auto x = gnutls_certificate_set_x509_system_trust(ctx.get()); if (x < 0) return gnutls_strerror(x); @@ -586,7 +586,7 @@ loadSystemTrustedCa(Security::ContextPtr &ctx) } void -Security::PeerOptions::updateContextCa(Security::ContextPtr ctx) +Security::PeerOptions::updateContextCa(Security::ContextPointer &ctx) { debugs(83, 8, "Setting CA certificate locations."); #if USE_OPENSSL @@ -594,12 +594,12 @@ Security::PeerOptions::updateContextCa(Security::ContextPtr ctx) #endif for (auto i : caFiles) { #if USE_OPENSSL - if (!SSL_CTX_load_verify_locations(ctx, i.c_str(), path)) { + if (!SSL_CTX_load_verify_locations(ctx.get(), i.c_str(), path)) { const int ssl_error = ERR_get_error(); debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL)); } #elif USE_GNUTLS - if (gnutls_certificate_set_x509_trust_file(ctx, i.c_str(), GNUTLS_X509_FMT_PEM) < 0) { + if (gnutls_certificate_set_x509_trust_file(ctx.get(), i.c_str(), GNUTLS_X509_FMT_PEM) < 0) { debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate location: " << i); } #endif @@ -614,11 +614,11 @@ Security::PeerOptions::updateContextCa(Security::ContextPtr ctx) } void -Security::PeerOptions::updateContextCrl(Security::ContextPtr ctx) +Security::PeerOptions::updateContextCrl(Security::ContextPointer &ctx) { #if USE_OPENSSL bool verifyCrl = false; - X509_STORE *st = SSL_CTX_get_cert_store(ctx); + X509_STORE *st = SSL_CTX_get_cert_store(ctx.get()); if (parsedCrl.size()) { for (auto &i : parsedCrl) { if (!X509_STORE_add_crl(st, i.get())) diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h index bd9e2a7692..3decafa849 100644 --- a/src/security/PeerOptions.h +++ b/src/security/PeerOptions.h @@ -45,10 +45,10 @@ public: void updateContextNpn(Security::ContextPointer &); /// setup the CA details for the given context - void updateContextCa(Security::ContextPtr); + void updateContextCa(Security::ContextPointer &); /// setup the CRL details for the given context - void updateContextCrl(Security::ContextPtr); + void updateContextCrl(Security::ContextPointer &); /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings virtual void dumpCfg(Packable *, const char *pfx) const; diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc index a1577b91c2..7e7da948fd 100644 --- a/src/security/ServerOptions.cc +++ b/src/security/ServerOptions.cc @@ -168,7 +168,7 @@ Security::ServerOptions::loadDhParams() } void -Security::ServerOptions::updateContextEecdh(Security::ContextPtr &ctx) +Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx) { // set Elliptic Curve details into the server context if (!eecdhCurve.isEmpty()) { @@ -188,7 +188,7 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPtr &ctx) return; } - if (!SSL_CTX_set_tmp_ecdh(ctx, ecdh)) { + if (!SSL_CTX_set_tmp_ecdh(ctx.get(), ecdh)) { auto ssl_error = ERR_get_error(); debugs(83, DBG_CRITICAL, "ERROR: Unable to set Ephemeral ECDH: " << ERR_error_string(ssl_error, NULL)); } @@ -203,7 +203,7 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPtr &ctx) // set DH parameters into the server context #if USE_OPENSSL if (parsedDhParams.get()) { - SSL_CTX_set_tmp_dh(ctx, parsedDhParams.get()); + SSL_CTX_set_tmp_dh(ctx.get(), parsedDhParams.get()); } #endif } diff --git a/src/security/ServerOptions.h b/src/security/ServerOptions.h index 90225e58d9..98901f3f9c 100644 --- a/src/security/ServerOptions.h +++ b/src/security/ServerOptions.h @@ -38,7 +38,7 @@ public: bool createStaticServerContext(AnyP::PortCfg &); /// update the context with DH, EDH, EECDH settings - void updateContextEecdh(Security::ContextPtr &); + void updateContextEecdh(Security::ContextPointer &); public: /// TLS context to use for HTTPS accelerator or static SSL-Bump diff --git a/src/security/Session.cc b/src/security/Session.cc index cf717926f7..be77734858 100644 --- a/src/security/Session.cc +++ b/src/security/Session.cc @@ -110,8 +110,8 @@ initializeSessionCache() } for (AnyP::PortCfgPointer s = HttpPortList; s != nullptr; s = s->next) { - if (s->secure.staticContext.get()) - Ssl::SetSessionCallbacks(s->secure.staticContext.get()); + if (s->secure.staticContext) + Ssl::SetSessionCallbacks(s->secure.staticContext); } #endif } diff --git a/src/ssl/PeekingPeerConnector.cc b/src/ssl/PeekingPeerConnector.cc index 2a8f985b22..e684cc4219 100644 --- a/src/ssl/PeekingPeerConnector.cc +++ b/src/ssl/PeekingPeerConnector.cc @@ -126,10 +126,10 @@ Ssl::PeekingPeerConnector::checkForPeekAndSpliceGuess() const return Ssl::bumpSplice; } -Security::ContextPtr -Ssl::PeekingPeerConnector::getSslContext() +Security::ContextPointer +Ssl::PeekingPeerConnector::getTlsContext() { - return ::Config.ssl_client.sslContext.get(); + return ::Config.ssl_client.sslContext; } bool diff --git a/src/ssl/PeekingPeerConnector.h b/src/ssl/PeekingPeerConnector.h index b4ea5066af..1659139668 100644 --- a/src/ssl/PeekingPeerConnector.h +++ b/src/ssl/PeekingPeerConnector.h @@ -38,7 +38,7 @@ public: /* Security::PeerConnector API */ virtual bool initialize(Security::SessionPointer &); - virtual Security::ContextPtr getSslContext(); + virtual Security::ContextPointer getTlsContext(); virtual void noteWantWrite(); virtual void noteNegotiationError(const int result, const int ssl_error, const int ssl_lib_error); virtual void noteNegotiationDone(ErrorState *error); diff --git a/src/ssl/support.cc b/src/ssl/support.cc index 33c0465012..075bfd7a30 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -492,32 +492,32 @@ ssl_info_cb(const SSL *ssl, int where, int ret) #endif static bool -configureSslContext(Security::ContextPtr sslContext, AnyP::PortCfg &port) +configureSslContext(Security::ContextPointer &ctx, AnyP::PortCfg &port) { int ssl_error; - SSL_CTX_set_options(sslContext, port.secure.parsedOptions); + SSL_CTX_set_options(ctx.get(), port.secure.parsedOptions); #if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) - SSL_CTX_set_info_callback(sslContext, ssl_info_cb); + SSL_CTX_set_info_callback(ctx.get(), ssl_info_cb); #endif if (port.sslContextSessionId) - SSL_CTX_set_session_id_context(sslContext, (const unsigned char *)port.sslContextSessionId, strlen(port.sslContextSessionId)); + SSL_CTX_set_session_id_context(ctx.get(), (const unsigned char *)port.sslContextSessionId, strlen(port.sslContextSessionId)); if (port.secure.parsedFlags & SSL_FLAG_NO_SESSION_REUSE) { - SSL_CTX_set_session_cache_mode(sslContext, SSL_SESS_CACHE_OFF); + SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_OFF); } if (Config.SSL.unclean_shutdown) { debugs(83, 5, "Enabling quiet SSL shutdowns (RFC violation)."); - SSL_CTX_set_quiet_shutdown(sslContext, 1); + SSL_CTX_set_quiet_shutdown(ctx.get(), 1); } if (!port.secure.sslCipher.isEmpty()) { debugs(83, 5, "Using chiper suite " << port.secure.sslCipher << "."); - if (!SSL_CTX_set_cipher_list(sslContext, port.secure.sslCipher.c_str())) { + if (!SSL_CTX_set_cipher_list(ctx.get(), port.secure.sslCipher.c_str())) { ssl_error = ERR_get_error(); debugs(83, DBG_CRITICAL, "ERROR: Failed to set SSL cipher suite '" << port.secure.sslCipher << "': " << ERR_error_string(ssl_error, NULL)); return false; @@ -525,15 +525,15 @@ configureSslContext(Security::ContextPtr sslContext, AnyP::PortCfg &port) } debugs(83, 9, "Setting RSA key generation callback."); - SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb); + SSL_CTX_set_tmp_rsa_callback(ctx.get(), ssl_temp_rsa_cb); - port.secure.updateContextEecdh(sslContext); - port.secure.updateContextCa(sslContext); + port.secure.updateContextEecdh(ctx); + port.secure.updateContextCa(ctx); if (port.clientCA.get()) { ERR_clear_error(); if (STACK_OF(X509_NAME) *clientca = SSL_dup_CA_list(port.clientCA.get())) { - SSL_CTX_set_client_CA_list(sslContext, clientca); + SSL_CTX_set_client_CA_list(ctx.get(), clientca); } else { ssl_error = ERR_get_error(); debugs(83, DBG_CRITICAL, "ERROR: Failed to dupe the client CA list: " << ERR_error_string(ssl_error, NULL)); @@ -542,29 +542,29 @@ configureSslContext(Security::ContextPtr sslContext, AnyP::PortCfg &port) if (port.secure.parsedFlags & SSL_FLAG_DELAYED_AUTH) { debugs(83, 9, "Not requesting client certificates until acl processing requires one"); - SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL); + SSL_CTX_set_verify(ctx.get(), SSL_VERIFY_NONE, NULL); } else { debugs(83, 9, "Requiring client certificates."); - SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_cb); + SSL_CTX_set_verify(ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ssl_verify_cb); } - port.secure.updateContextCrl(sslContext); + port.secure.updateContextCrl(ctx); } else { debugs(83, 9, "Not requiring any client certificates"); - SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL); + SSL_CTX_set_verify(ctx.get(), SSL_VERIFY_NONE, NULL); } if (port.secure.parsedFlags & SSL_FLAG_DONT_VERIFY_DOMAIN) - SSL_CTX_set_ex_data(sslContext, ssl_ctx_ex_index_dont_verify_domain, (void *) -1); + SSL_CTX_set_ex_data(ctx.get(), ssl_ctx_ex_index_dont_verify_domain, (void *) -1); - Ssl::SetSessionCallbacks(sslContext); + Ssl::SetSessionCallbacks(ctx); return true; } bool -Ssl::InitServerContext(const Security::ContextPointer &ctx, AnyP::PortCfg &port) +Ssl::InitServerContext(Security::ContextPointer &ctx, AnyP::PortCfg &port) { if (!ctx) return false; @@ -583,7 +583,7 @@ Ssl::InitServerContext(const Security::ContextPointer &ctx, AnyP::PortCfg &port) return false; } - Ssl::addChainToSslContext(ctx.get(), port.certsToChain.get()); + Ssl::addChainToSslContext(ctx, port.certsToChain.get()); /* Alternate code; debugs(83, DBG_IMPORTANT, "Using certificate in " << certfile); @@ -613,7 +613,7 @@ Ssl::InitServerContext(const Security::ContextPointer &ctx, AnyP::PortCfg &port) } */ - if (!configureSslContext(ctx.get(), port)) { + if (!configureSslContext(ctx, port)) { debugs(83, DBG_CRITICAL, "ERROR: Configuring static SSL context"); return false; } @@ -936,7 +936,7 @@ Ssl::createSSLContext(Security::CertPointer & x509, Ssl::EVP_PKEY_Pointer & pkey if (!SSL_CTX_use_PrivateKey(ctx.get(), pkey.get())) return Security::ContextPointer(); - if (!configureSslContext(ctx.get(), port)) + if (!configureSslContext(ctx, port)) return Security::ContextPointer(); return ctx; @@ -965,27 +965,26 @@ Ssl::generateSslContext(CertificateProperties const &properties, AnyP::PortCfg & } void -Ssl::chainCertificatesToSSLContext(SSL_CTX *sslContext, AnyP::PortCfg &port) +Ssl::chainCertificatesToSSLContext(Security::ContextPointer &ctx, AnyP::PortCfg &port) { - assert(sslContext != NULL); + assert(ctx); // Add signing certificate to the certificates chain X509 *signingCert = port.signingCert.get(); - if (SSL_CTX_add_extra_chain_cert(sslContext, signingCert)) { + if (SSL_CTX_add_extra_chain_cert(ctx.get(), signingCert)) { // increase the certificate lock CRYPTO_add(&(signingCert->references),1,CRYPTO_LOCK_X509); } else { const int ssl_error = ERR_get_error(); debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL)); } - Ssl::addChainToSslContext(sslContext, port.certsToChain.get()); + Ssl::addChainToSslContext(ctx, port.certsToChain.get()); } void -Ssl::configureUnconfiguredSslContext(SSL_CTX *sslContext, Ssl::CertSignAlgorithm signAlgorithm,AnyP::PortCfg &port) +Ssl::configureUnconfiguredSslContext(Security::ContextPointer &ctx, Ssl::CertSignAlgorithm signAlgorithm,AnyP::PortCfg &port) { - if (sslContext && signAlgorithm == Ssl::algSignTrusted) { - Ssl::chainCertificatesToSSLContext(sslContext, port); - } + if (ctx && signAlgorithm == Ssl::algSignTrusted) + Ssl::chainCertificatesToSSLContext(ctx, port); } bool @@ -1031,19 +1030,20 @@ Ssl::configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::Po return true; } -bool Ssl::verifySslCertificate(Security::ContextPtr sslContext, CertificateProperties const &properties) +bool +Ssl::verifySslCertificate(Security::ContextPointer &ctx, CertificateProperties const &properties) { // SSL_get_certificate is buggy in openssl versions 1.0.1d and 1.0.1e - // Try to retrieve certificate directly from Security::ContextPtr object + // Try to retrieve certificate directly from Security::ContextPointer object #if SQUID_USE_SSLGETCERTIFICATE_HACK - X509 ***pCert = (X509 ***)sslContext->cert; + X509 ***pCert = (X509 ***)ctx->cert; X509 * cert = pCert && *pCert ? **pCert : NULL; #elif SQUID_SSLGETCERTIFICATE_BUGGY X509 * cert = NULL; assert(0); #else // Temporary ssl for getting X509 certificate from SSL_CTX. - Security::SessionPointer ssl(SSL_new(sslContext)); + Security::SessionPointer ssl(SSL_new(ctx.get())); X509 * cert = SSL_get_certificate(ssl.get()); #endif if (!cert) @@ -1076,14 +1076,15 @@ Ssl::setClientSNI(SSL *ssl, const char *fqdn) #endif } -void Ssl::addChainToSslContext(Security::ContextPtr sslContext, STACK_OF(X509) *chain) +void +Ssl::addChainToSslContext(Security::ContextPointer &ctx, STACK_OF(X509) *chain) { if (!chain) return; for (int i = 0; i < sk_X509_num(chain); ++i) { X509 *cert = sk_X509_value(chain, i); - if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) { + if (SSL_CTX_add_extra_chain_cert(ctx.get(), cert)) { // increase the certificate lock CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509); } else { @@ -1398,7 +1399,7 @@ bool Ssl::generateUntrustedCert(Security::CertPointer &untrustedCert, EVP_PKEY_P } static bool -SslCreate(Security::ContextPtr sslContext, const Comm::ConnectionPointer &conn, Ssl::Bio::Type type, const char *squidCtx) +SslCreate(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &conn, Ssl::Bio::Type type, const char *squidCtx) { if (!Comm::IsConnOpen(conn)) { debugs(83, DBG_IMPORTANT, "Gone connection"); @@ -1407,7 +1408,7 @@ SslCreate(Security::ContextPtr sslContext, const Comm::ConnectionPointer &conn, const char *errAction = NULL; int errCode = 0; - if (auto ssl = SSL_new(sslContext)) { + if (auto ssl = SSL_new(ctx.get())) { const int fd = conn->fd; // without BIO, we would call SSL_set_fd(ssl, fd) instead if (BIO *bio = Ssl::Bio::Create(fd, type)) { @@ -1433,15 +1434,15 @@ SslCreate(Security::ContextPtr sslContext, const Comm::ConnectionPointer &conn, } bool -Ssl::CreateClient(Security::ContextPtr sslContext, const Comm::ConnectionPointer &c, const char *squidCtx) +Ssl::CreateClient(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx) { - return SslCreate(sslContext, c, Ssl::Bio::BIO_TO_SERVER, squidCtx); + return SslCreate(ctx, c, Ssl::Bio::BIO_TO_SERVER, squidCtx); } bool Ssl::CreateServer(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx) { - return SslCreate(ctx.get(), c, Ssl::Bio::BIO_TO_CLIENT, squidCtx); + return SslCreate(ctx, c, Ssl::Bio::BIO_TO_CLIENT, squidCtx); } static int @@ -1533,13 +1534,13 @@ get_session_cb(SSL *, unsigned char *sessionID, int len, int *copy) } void -Ssl::SetSessionCallbacks(Security::ContextPtr ctx) +Ssl::SetSessionCallbacks(Security::ContextPointer &ctx) { if (Ssl::SessionCache) { - SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL); - SSL_CTX_sess_set_new_cb(ctx, store_session_cb); - SSL_CTX_sess_set_remove_cb(ctx, remove_session_cb); - SSL_CTX_sess_set_get_cb(ctx, get_session_cb); + SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL); + SSL_CTX_sess_set_new_cb(ctx.get(), store_session_cb); + SSL_CTX_sess_set_remove_cb(ctx.get(), remove_session_cb); + SSL_CTX_sess_set_get_cb(ctx.get(), get_session_cb); } } diff --git a/src/ssl/support.h b/src/ssl/support.h index 9bcf1a1502..42c9815307 100644 --- a/src/ssl/support.h +++ b/src/ssl/support.h @@ -75,18 +75,18 @@ typedef RefCount CertValidationResponsePointer; /// Creates SSL Client connection structure and initializes SSL I/O (Comm and BIO). /// On errors, emits DBG_IMPORTANT with details and returns false. -bool CreateClient(Security::ContextPtr sslContext, const Comm::ConnectionPointer &, const char *squidCtx); +bool CreateClient(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx); /// Creates SSL Server connection structure and initializes SSL I/O (Comm and BIO). /// On errors, emits DBG_IMPORTANT with details and returns false. bool CreateServer(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx); -void SetSessionCallbacks(Security::ContextPtr); +void SetSessionCallbacks(Security::ContextPointer &); extern Ipc::MemMap *SessionCache; extern const char *SessionCacheName; /// initialize a TLS server context with OpenSSL specific settings -bool InitServerContext(const Security::ContextPointer &, AnyP::PortCfg &); +bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &); /// initialize a TLS client context with OpenSSL specific settings bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, long options, long flags); @@ -238,7 +238,7 @@ Security::ContextPointer generateSslContext(CertificateProperties const &propert \param properties Check if the context certificate matches the given properties \return true if the contexts certificate is valid, false otherwise */ -bool verifySslCertificate(Security::ContextPtr sslContext, CertificateProperties const &properties); +bool verifySslCertificate(Security::ContextPointer &, CertificateProperties const &); /** \ingroup ServerProtocolSSLAPI @@ -257,13 +257,13 @@ Security::ContextPointer createSSLContext(Security::CertPointer & x509, Ssl::EVP \ingroup ServerProtocolSSLAPI * Chain signing certificate and chained certificates to an SSL Context */ -void chainCertificatesToSSLContext(SSL_CTX *sslContext, AnyP::PortCfg &port); +void chainCertificatesToSSLContext(Security::ContextPointer &, AnyP::PortCfg &); /** \ingroup ServerProtocolSSLAPI * Configure a previously unconfigured SSL context object. */ -void configureUnconfiguredSslContext(SSL_CTX *sslContext, Ssl::CertSignAlgorithm signAlgorithm,AnyP::PortCfg &port); +void configureUnconfiguredSslContext(Security::ContextPointer &, Ssl::CertSignAlgorithm signAlgorithm, AnyP::PortCfg &); /** \ingroup ServerProtocolSSLAPI @@ -283,7 +283,7 @@ bool configureSSLUsingPkeyAndCertFromMemory(SSL *ssl, const char *data, AnyP::Po \ingroup ServerProtocolSSLAPI * Adds the certificates in certList to the certificate chain of the SSL context */ -void addChainToSslContext(Security::ContextPtr sslContext, STACK_OF(X509) *certList); +void addChainToSslContext(Security::ContextPointer &, STACK_OF(X509) *certList); /** \ingroup ServerProtocolSSLAPI diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc index 0ec8d2262e..b9707985d2 100644 --- a/src/tests/stub_libsecurity.cc +++ b/src/tests/stub_libsecurity.cc @@ -19,7 +19,7 @@ CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerConnector); namespace Security { bool BlindPeerConnector::initialize(Security::SessionPointer &) STUB_RETVAL(false) -Security::ContextPtr BlindPeerConnector::getSslContext() STUB_RETVAL(nullptr) +Security::ContextPointer BlindPeerConnector::getTlsContext() STUB_RETVAL(Security::ContextPointer()) void BlindPeerConnector::noteNegotiationDone(ErrorState *) STUB } @@ -60,7 +60,7 @@ void PeerConnector::handleNegotiateError(const int) STUB void PeerConnector::noteWantRead() STUB void PeerConnector::noteWantWrite() STUB void PeerConnector::noteNegotiationError(const int, const int, const int) STUB -// virtual Security::ContextPtr getSslContext() = 0; +// virtual Security::ContextPointer getTlsContext() = 0; void PeerConnector::bail(ErrorState *) STUB void PeerConnector::callBack() STUB void PeerConnector::recordNegotiationDetails() STUB @@ -72,8 +72,8 @@ void Security::PeerOptions::parse(char const*) STUB Security::ContextPointer Security::PeerOptions::createClientContext(bool) STUB_RETVAL(Security::ContextPointer()) void Security::PeerOptions::updateTlsVersionLimits() STUB Security::ContextPointer Security::PeerOptions::createBlankContext() const STUB_RETVAL(Security::ContextPointer()) -void Security::PeerOptions::updateContextCa(Security::ContextPtr) STUB -void Security::PeerOptions::updateContextCrl(Security::ContextPtr) STUB +void Security::PeerOptions::updateContextCa(Security::ContextPointer &) STUB +void Security::PeerOptions::updateContextCrl(Security::ContextPointer &) STUB void Security::PeerOptions::dumpCfg(Packable*, char const*) const STUB long Security::PeerOptions::parseOptions() STUB_RETVAL(0) long Security::PeerOptions::parseFlags() STUB_RETVAL(0) @@ -85,7 +85,7 @@ void Security::ServerOptions::parse(const char *) STUB void Security::ServerOptions::dumpCfg(Packable *, const char *) const STUB Security::ContextPointer Security::ServerOptions::createBlankContext() const STUB_RETVAL(Security::ContextPointer()) bool Security::ServerOptions::createStaticServerContext(AnyP::PortCfg &) STUB_RETVAL(false) -void Security::ServerOptions::updateContextEecdh(Security::ContextPtr &) STUB +void Security::ServerOptions::updateContextEecdh(Security::ContextPointer &) STUB #include "security/Session.h" namespace Security { diff --git a/src/tests/stub_libsslsquid.cc b/src/tests/stub_libsslsquid.cc index 69b01cec32..15c410243a 100644 --- a/src/tests/stub_libsslsquid.cc +++ b/src/tests/stub_libsslsquid.cc @@ -50,7 +50,7 @@ const String & Ssl::ErrorDetail::toString() const STUB_RETSTATREF(String) #include "ssl/support.h" namespace Ssl { -bool InitServerContext(const Security::ContextPointer &, AnyP::PortCfg &) STUB_RETVAL(false) +bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &) STUB_RETVAL(false) bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, long, const char *) STUB_RETVAL(false) } // namespace Ssl int ssl_read_method(int, char *, int) STUB_RETVAL(0) @@ -69,9 +69,9 @@ namespace Ssl const char *BumpModeStr[] = {""}; bool generateUntrustedCert(Security::CertPointer & untrustedCert, EVP_PKEY_Pointer & untrustedPkey, Security::CertPointer const & cert, EVP_PKEY_Pointer const & pkey) STUB_RETVAL(false) Security::ContextPointer generateSslContext(CertificateProperties const &, AnyP::PortCfg &) STUB_RETVAL(Security::ContextPointer()) -bool verifySslCertificate(Security::ContextPtr sslContext, CertificateProperties const &properties) STUB_RETVAL(false) +bool verifySslCertificate(Security::ContextPointer &, CertificateProperties const &) STUB_RETVAL(false) Security::ContextPointer generateSslContextUsingPkeyAndCertFromMemory(const char *, AnyP::PortCfg &) STUB_RETVAL(Security::ContextPointer()) -void addChainToSslContext(Security::ContextPtr sslContext, STACK_OF(X509) *certList) STUB +void addChainToSslContext(Security::ContextPointer &, STACK_OF(X509) *) STUB void readCertChainAndPrivateKeyFromFiles(Security::CertPointer & cert, EVP_PKEY_Pointer & pkey, X509_STACK_Pointer & chain, char const * certFilename, char const * keyFilename) STUB int matchX509CommonNames(X509 *peer_cert, void *check_data, int (*check_func)(void *check_data, ASN1_STRING *cn_data)) STUB_RETVAL(0) bool checkX509ServerValidity(X509 *cert, const char *server) STUB_RETVAL(false)