#include "squid.h"#include "acl/FilledChecklist.h"#include "anyp/PortCfg.h"#include "anyp/Uri.h"#include "fatal.h"#include "fd.h"#include "fde.h"#include "globals.h"#include "ipc/MemMap.h"#include "security/CertError.h"#include "security/Certificate.h"#include "security/ErrorDetail.h"#include "security/Session.h"#include "SquidConfig.h"#include "ssl/bio.h"#include "ssl/Config.h"#include "ssl/ErrorDetail.h"#include "ssl/gadgets.h"#include "ssl/support.h"#include <cerrno>
Go to the source code of this file.
Functions | |
| static void | ssl_ask_password (SSL_CTX *context, const char *prompt) |
| static int | check_domain (void *check_data, ASN1_STRING *cn_data) |
| static int | ssl_verify_cb (int ok, X509_STORE_CTX *ctx) |
| static int | VerifyCtxCertificates (X509_STORE_CTX *ctx, STACK_OF(X509) *extraCerts) |
| static int | ssl_dupAclChecklist (CRYPTO_EX_DATA *, CRYPTO_EX_DATA *, void *, int, long, void *) |
| static void | ssl_freeAclChecklist (void *, void *ptr, CRYPTO_EX_DATA *, int, long, void *) |
| static void | ssl_free_ErrorDetail (void *, void *ptr, CRYPTO_EX_DATA *, int, long, void *) |
| static void | ssl_free_SslErrors (void *, void *ptr, CRYPTO_EX_DATA *, int, long, void *) |
| static void | ssl_free_int (void *, void *ptr, CRYPTO_EX_DATA *, int, long, void *) |
| static void | ssl_free_CertChain (void *, void *ptr, CRYPTO_EX_DATA *, int, long, void *) |
| static void | ssl_free_X509 (void *, void *ptr, CRYPTO_EX_DATA *, int, long, void *) |
| static void | ssl_free_SBuf (void *, void *ptr, CRYPTO_EX_DATA *, int, long, void *) |
| static void | ssl_free_VerifyCallbackParameters (void *, void *ptr, CRYPTO_EX_DATA *, int, long, void *) |
| "free" function for the ssl_ex_index_verify_callback_parameters entry More... | |
| static const char * | ssl_get_attribute (X509_NAME *name, const char *attribute_name) |
| const char * | sslGetUserAttribute (SSL *ssl, const char *attribute_name) |
| const char * | sslGetCAAttribute (SSL *ssl, const char *attribute_name) |
| const char * | sslGetUserEmail (SSL *ssl) |
| SBuf | sslGetUserCertificatePEM (SSL *ssl) |
| SBuf | sslGetUserCertificateChainPEM (SSL *ssl) |
| static X509 * | findCertIssuerFast (Ssl::CertsIndexedList &list, X509 *cert) |
| static X509 * | sk_x509_findIssuer (const STACK_OF(X509) *sk, X509 *cert) |
| slowly find the issuer certificate of a given cert using linear search More... | |
| static X509 * | findIssuerInCaDb (X509 *cert, const Security::ContextPointer &connContext) |
| static void | completeIssuers (X509_STORE_CTX *ctx, STACK_OF(X509) &untrustedCerts) |
| add missing issuer certificates to untrustedCerts More... | |
| static int | untrustedToStoreCtx_cb (X509_STORE_CTX *ctx, void *) |
| static int | bio_sbuf_create (BIO *bio) |
| static int | bio_sbuf_destroy (BIO *bio) |
| static int | bio_sbuf_write (BIO *bio, const char *data, int len) |
| static int | bio_sbuf_puts (BIO *bio, const char *data) |
| static long | bio_sbuf_ctrl (BIO *bio, int cmd, long, void *) |
Variables | |
| static int | ssl_ex_index_verify_callback_parameters = -1 |
| static Ssl::CertsIndexedList | SquidUntrustedCerts |
Function Documentation
◆ bio_sbuf_create()
|
static |
Definition at line 1417 of file support.cc.
References BIO_set_data(), and BIO_set_init().
Referenced by Ssl::BIO_new_SBuf().
◆ bio_sbuf_ctrl()
|
static |
Definition at line 1452 of file support.cc.
References BIO_get_data(), and SBuf::clear().
Referenced by Ssl::BIO_new_SBuf().
◆ bio_sbuf_destroy()
|
static |
Definition at line 1425 of file support.cc.
Referenced by Ssl::BIO_new_SBuf().
◆ bio_sbuf_puts()
|
static |
Definition at line 1442 of file support.cc.
References SBuf::append(), BIO_get_data(), and SBuf::length().
Referenced by Ssl::BIO_new_SBuf().
◆ bio_sbuf_write()
Definition at line 1433 of file support.cc.
References SBuf::append(), and BIO_get_data().
Referenced by Ssl::BIO_new_SBuf().
◆ check_domain()
|
static |
Definition at line 231 of file support.cc.
References debugs, matchDomainName(), mdnRejectSubsubDomains, and server.
Referenced by Ssl::checkX509ServerValidity().
◆ completeIssuers()
|
static |
Definition at line 1256 of file support.cc.
References debugs, Ssl::findIssuerCertificate(), Security::LockingPointer< T, UnLocker, Locker >::get(), Security::LockingPointer< T, UnLocker, Locker >::resetAndLock(), Security::SelfSigned(), SquidUntrustedCerts, X509_STORE_CTX_get0_cert(), and X509_VERIFY_PARAM_get_depth().
Referenced by VerifyCtxCertificates().
◆ findCertIssuerFast()
|
static |
quickly find the issuer certificate of a certificate cert in the Ssl::CertsIndexedList list
Definition at line 1139 of file support.cc.
References Security::IssuedBy(), and Security::IssuerName().
Referenced by Ssl::findIssuerCertificate().
◆ findIssuerInCaDb()
|
static |
finds issuer of a given certificate in CA store of the given connContext
- Returns
- the cert issuer (after increasing its reference count) or nil
Definition at line 1174 of file support.cc.
References assert, DBG_IMPORTANT, debugs, and Security::ErrorString().
Referenced by Ssl::findIssuerCertificate().
◆ sk_x509_findIssuer()
|
static |
Definition at line 1157 of file support.cc.
References Security::IssuedBy().
Referenced by Ssl::findIssuerCertificate().
◆ ssl_dupAclChecklist()
◆ ssl_free_ErrorDetail()
|
static |
Definition at line 589 of file support.cc.
Referenced by Ssl::Initialize().
◆ ssl_free_int()
|
static |
Definition at line 606 of file support.cc.
Referenced by Ssl::Initialize().
◆ ssl_free_SBuf()
|
static |
Definition at line 635 of file support.cc.
Referenced by Ssl::Initialize().
◆ ssl_free_SslErrors()
|
static |
Definition at line 597 of file support.cc.
Referenced by Ssl::Initialize().
◆ ssl_free_VerifyCallbackParameters()
|
static |
Definition at line 644 of file support.cc.
Referenced by Ssl::Initialize().
◆ ssl_free_X509()
|
static |
Definition at line 626 of file support.cc.
Referenced by Ssl::Initialize().
◆ ssl_freeAclChecklist()
|
static |
Definition at line 581 of file support.cc.
Referenced by Ssl::Initialize().
◆ ssl_verify_cb()
adjusts OpenSSL validation results for each verified certificate in ctx OpenSSL "verify_callback function" (OpenSSL_vcb_disambiguation)
Definition at line 262 of file support.cc.
References Acl::Answer::allowed(), Ssl::checkX509ServerValidity(), DBG_IMPORTANT, debugs, ACLChecklist::fastCheck(), Filled(), Ssl::VerifyCallbackParameters::Find(), Security::LockingPointer< T, UnLocker, Locker >::get(), Ssl::GetErrorDescr(), CbDataList< C >::push_back_unique(), Security::LockingPointer< T, UnLocker, Locker >::reset(), Security::LockingPointer< T, UnLocker, Locker >::resetAndLock(), server, ACLFilledChecklist::serverCert, SQUID_CERT_VALIDATION_ITERATION_MAX, SQUID_X509_V_ERR_CERT_CHANGE, SQUID_X509_V_ERR_DOMAIN_MISMATCH, SQUID_X509_V_ERR_INFINITE_VALIDATION, ssl_ctx_ex_index_dont_verify_domain, ssl_ex_index_cert_error_check, ssl_ex_index_server, ssl_ex_index_ssl_cert_chain, ssl_ex_index_ssl_error_detail, ssl_ex_index_ssl_errors, ssl_ex_index_ssl_peeked_cert, ssl_ex_index_ssl_validation_counter, ACLFilledChecklist::sslErrors, STACK_OF(), Ssl::TheConfig, and X509_STORE_CTX_get0_cert().
Referenced by Ssl::ConfigurePeerVerification().
◆ untrustedToStoreCtx_cb()
|
static |
Validates certificates while consulting sslproxy_foreign_intermediate_certs but without using any dynamically downloaded intermediate certificates. OpenSSL "verification callback function" (OpenSSL_vcb_disambiguation)
Definition at line 1338 of file support.cc.
References debugs, and VerifyCtxCertificates().
Referenced by Ssl::useSquidUntrusted().
◆ VerifyCtxCertificates()
Validates certificates while consulting sslproxy_foreign_intermediate_certs and, optionally, the given extra certificates.
- Returns
- whatever OpenSSL X509_verify_cert() returns
Definition at line 1290 of file support.cc.
References completeIssuers(), SquidUntrustedCerts, STACK_OF(), and X509_STORE_CTX_set0_untrusted.
Referenced by untrustedToStoreCtx_cb(), and Ssl::VerifyConnCertificates().
Variable Documentation
◆ SquidUntrustedCerts
|
static |
Definition at line 42 of file support.cc.
Referenced by completeIssuers(), Ssl::findIssuerCertificate(), Ssl::loadSquidUntrusted(), Ssl::unloadSquidUntrusted(), and VerifyCtxCertificates().
◆ ssl_ex_index_verify_callback_parameters
|
static |
Definition at line 40 of file support.cc.
Referenced by Ssl::VerifyCallbackParameters::Find(), Ssl::Initialize(), and Ssl::VerifyCallbackParameters::New().