security_2forward_8h_source.html

/*

 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors

 *

 * Squid software is distributed under GPLv2+ license and includes

 * contributions from numerous individuals and organizations.

 * Please see the COPYING and CONTRIBUTORS files for details.

 */


#ifndef SQUID_SRC_SECURITY_FORWARD_H

#define SQUID_SRC_SECURITY_FORWARD_H


#include "base/CbDataList.h"

#include "base/forward.h"

#include "base/ToCpp.h"

#include "security/LockingPointer.h"


#if HAVE_LIBGNUTLS

#if HAVE_GNUTLS_ABSTRACT_H

#include <gnutls/abstract.h>

#endif

#endif /* HAVE_LIBGNUTLS */

#include <list>

#include <limits>

#include <memory>

#if USE_OPENSSL

#include "compat/openssl.h"

#if HAVE_OPENSSL_BN_H

#include <openssl/bn.h>

#endif

#if HAVE_OPENSSL_ERR_H

#include <openssl/err.h>

#endif

#if HAVE_OPENSSL_RSA_H

#include <openssl/rsa.h>

#endif

#if HAVE_OPENSSL_X509_H

#include <openssl/x509.h>

#endif

#endif /* USE_OPENSSL */

#include <unordered_set>


#if USE_OPENSSL

// Macro to be used to define the C++ wrapper functor of the sk_*_pop_free

// OpenSSL family of functions. The C++ functor is suffixed with the _free_wrapper

// extension


#define sk_dtor_wrapper(sk_object, argument_type, freefunction) \

        struct sk_object ## _free_wrapper { \

            void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \

        }


#endif /* USE_OPENSSL */


/* flags a SSL connection can be configured with */

#define SSL_FLAG_NO_DEFAULT_CA      (1<<0)

#define SSL_FLAG_DELAYED_AUTH       (1<<1)

#define SSL_FLAG_DONT_VERIFY_PEER   (1<<2)

#define SSL_FLAG_DONT_VERIFY_DOMAIN (1<<3)

#define SSL_FLAG_NO_SESSION_REUSE   (1<<4)

#define SSL_FLAG_VERIFY_CRL         (1<<5)

#define SSL_FLAG_VERIFY_CRL_ALL     (1<<6)

#define SSL_FLAG_CONDITIONAL_AUTH   (1<<7)


#if !USE_OPENSSL && !HAVE_LIBGNUTLS

struct notls_x509 {};

#endif


namespace Security

{


class CertError;

typedef CbDataList<Security::CertError> CertErrors;


#if USE_OPENSSL

typedef X509 Certificate;

#elif HAVE_LIBGNUTLS

typedef struct gnutls_x509_crt_int Certificate;

#else

typedef struct notls_x509 Certificate;

#endif


#if USE_OPENSSL

CtoCpp1(X509_free, X509 *);

typedef Security::LockingPointer<X509, X509_free_cpp, HardFun<int, X509 *, X509_up_ref> > CertPointer;

#elif HAVE_LIBGNUTLS

typedef std::shared_ptr<struct gnutls_x509_crt_int> CertPointer;

#else

typedef std::shared_ptr<Certificate> CertPointer;

#endif


#if USE_OPENSSL

CtoCpp1(X509_CRL_free, X509_CRL *);

typedef Security::LockingPointer<X509_CRL, X509_CRL_free_cpp, HardFun<int, X509_CRL *, X509_CRL_up_ref> > CrlPointer;

#elif HAVE_LIBGNUTLS

CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t);

typedef Security::LockingPointer<struct gnutls_x509_crl_int, gnutls_x509_crl_deinit> CrlPointer;

#else

typedef void *CrlPointer;

#endif


typedef std::list<Security::CertPointer> CertList;


typedef std::list<Security::CrlPointer> CertRevokeList;


#if USE_OPENSSL

CtoCpp1(EVP_PKEY_free, EVP_PKEY *)

using PrivateKeyPointer = Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref>>;

#elif HAVE_LIBGNUTLS

using PrivateKeyPointer = std::shared_ptr<struct gnutls_x509_privkey_int>;

#else

using PrivateKeyPointer = std::shared_ptr<void>;

#endif


#if USE_OPENSSL

#if OPENSSL_VERSION_MAJOR < 3

CtoCpp1(DH_free, DH *);

typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer;

#else

using DhePointer = PrivateKeyPointer;

#endif

#elif HAVE_LIBGNUTLS

using DhePointer = void *;

#else

using DhePointer = void *;

#endif


class EncryptorAnswer;


typedef int ErrorCode;


#if USE_OPENSSL

typedef unsigned long LibErrorCode;

#elif HAVE_LIBGNUTLS

typedef int LibErrorCode;

#else

typedef int LibErrorCode;

#endif


inline const char *ErrorString(const LibErrorCode code) {

#if USE_OPENSSL

    return ERR_error_string(code, nullptr);

#elif HAVE_LIBGNUTLS

    return gnutls_strerror(code);

#else

    (void)code;

    return "[no TLS library]";

#endif

}


typedef std::unordered_set<Security::ErrorCode> Errors;


namespace Io

{


enum Type {

#if USE_OPENSSL

    BIO_TO_CLIENT = 6000,

    BIO_TO_SERVER

#elif HAVE_LIBGNUTLS

    // NP: this is odd looking but correct.

    // 'to-client' means we are a server, and vice versa.

    BIO_TO_CLIENT = GNUTLS_SERVER,

    BIO_TO_SERVER = GNUTLS_CLIENT

#else

    BIO_TO_CLIENT = 6000,

    BIO_TO_SERVER

#endif

};


} // namespace Io


// TODO: Either move to Security::Io or remove/restrict the Io namespace.

class IoResult;


class CommunicationSecrets;

class KeyData;

class KeyLog;


#if USE_OPENSSL

using ParsedOptions = uint64_t;

#elif HAVE_LIBGNUTLS

typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions;

#else

class ParsedOptions {}; // we never parse/use TLS options in this case

#endif


typedef long ParsedPortFlags;


class PeerConnector;

class BlindPeerConnector;

class PeerOptions;


class ServerOptions;


class FuturePeerContext;


class ErrorDetail;

typedef RefCount<ErrorDetail> ErrorDetailPointer;


std::ostream &operator <<(std::ostream &, const KeyLog &);


void OpenLogs();

void RotateLogs();

void CloseLogs();


} // namespace Security


enum {

    SQUID_TLS_ERR_OFFSET = std::numeric_limits<int>::min(),


    /* TLS library calls/contexts other than validation (e.g., I/O) */

    SQUID_TLS_ERR_ACCEPT,

    SQUID_TLS_ERR_CONNECT,


    /* certificate validation problems not covered by official errors */

    SQUID_X509_V_ERR_CERT_CHANGE,

    SQUID_X509_V_ERR_DOMAIN_MISMATCH,

    SQUID_X509_V_ERR_INFINITE_VALIDATION,


    SQUID_TLS_ERR_END

};


#endif /* SQUID_SRC_SECURITY_FORWARD_H */


CbDataList.h

LockingPointer.h

ToCpp.h

CtoCpp1
#define CtoCpp1(function, argument)
Definition ToCpp.h:14

forward.h

CbDataList
Definition CbDataList.h:16

IoResult
Definition DiskThreadsDiskFile.h:71

RefCount
Definition RefCount.h:28

Security::BlindPeerConnector
A PeerConnector for TLS cache_peers and origin servers. No SslBump capabilities.
Definition BlindPeerConnector.h:21

Security::EncryptorAnswer
Definition EncryptorAnswer.h:22

Security::ErrorDetail
Definition ErrorDetail.h:40

Security::FuturePeerContext
A combination of PeerOptions and the corresponding Context.
Definition PeerOptions.h:155

Security::KeyLog
a single tls_key_log directive configuration and logging handler
Definition KeyLog.h:20

Security::LockingPointer
Definition LockingPointer.h:51

Security::PeerConnector
Definition PeerConnector.h:49

Security::PeerOptions
TLS squid.conf settings for a remote server peer.
Definition PeerOptions.h:26

Security::ServerOptions
TLS squid.conf settings for a listening port.
Definition ServerOptions.h:26

Type
Definition cf_gen.cc:109

Security::Io::BIO_TO_CLIENT
@ BIO_TO_CLIENT
Definition forward.h:171

Security::Io::BIO_TO_SERVER
@ BIO_TO_SERVER
Definition forward.h:172

Security
Network/connection security abstraction layer.
Definition Connection.h:34

Security::CrlPointer
Security::LockingPointer< X509_CRL, X509_CRL_free_cpp, HardFun< int, X509_CRL *, X509_CRL_up_ref > > CrlPointer
Definition forward.h:97

Security::ErrorDetailPointer
RefCount< ErrorDetail > ErrorDetailPointer
Definition forward.h:215

Security::DhePointer
Security::LockingPointer< DH, DH_free_cpp, HardFun< int, DH *, DH_up_ref > > DhePointer
Definition forward.h:121

Security::ParsedOptions
uint64_t ParsedOptions
Definition forward.h:194

Security::ErrorCode
int ErrorCode
Squid-defined error code (<0), an error code returned by X.509 API, or zero.
Definition forward.h:134

Security::OpenLogs
void OpenLogs()
opens logs enabled in the current configuration
Definition KeyLog.cc:71

Security::LibErrorCode
unsigned long LibErrorCode
TLS library-reported non-validation error.
Definition forward.h:141

Security::Certificate
X509 Certificate
Definition forward.h:79

Security::CertErrors
CbDataList< Security::CertError > CertErrors
Holds a list of X.509 certificate errors.
Definition forward.h:76

Security::CertPointer
Security::LockingPointer< X509, X509_free_cpp, HardFun< int, X509 *, X509_up_ref > > CertPointer
Definition forward.h:88

Security::ParsedPortFlags
long ParsedPortFlags
Definition forward.h:204

Security::Errors
std::unordered_set< Security::ErrorCode > Errors
Definition forward.h:165

Security::CertRevokeList
std::list< Security::CrlPointer > CertRevokeList
Definition forward.h:107

Security::CertList
std::list< Security::CertPointer > CertList
Definition forward.h:105

Security::CloseLogs
void CloseLogs()
closes logs opened by OpenLogs()
Definition KeyLog.cc:85

Security::ErrorString
const char * ErrorString(const LibErrorCode code)
converts numeric LibErrorCode into a human-friendlier string
Definition forward.h:152

Security::RotateLogs
void RotateLogs()
rotates logs opened by OpenLogs()
Definition KeyLog.cc:78

Security::operator<<
std::ostream & operator<<(std::ostream &, const EncryptorAnswer &)
Definition EncryptorAnswer.cc:20

openssl.h

SQUID_X509_V_ERR_INFINITE_VALIDATION
@ SQUID_X509_V_ERR_INFINITE_VALIDATION
Definition forward.h:239

SQUID_X509_V_ERR_DOMAIN_MISMATCH
@ SQUID_X509_V_ERR_DOMAIN_MISMATCH
Definition forward.h:238

SQUID_TLS_ERR_END
@ SQUID_TLS_ERR_END
Definition forward.h:241

SQUID_TLS_ERR_CONNECT
@ SQUID_TLS_ERR_CONNECT
failure to establish a connection with a TLS server
Definition forward.h:234

SQUID_TLS_ERR_ACCEPT
@ SQUID_TLS_ERR_ACCEPT
failure to accept a connection from a TLS client
Definition forward.h:233

SQUID_X509_V_ERR_CERT_CHANGE
@ SQUID_X509_V_ERR_CERT_CHANGE
Definition forward.h:237

SQUID_TLS_ERR_OFFSET
@ SQUID_TLS_ERR_OFFSET
Definition forward.h:230