BlindPeerConnector.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 #include "squid.h"
10 #include "AccessLogEntry.h"
11 #include "CachePeer.h"
12 #include "comm/Connection.h"
13 #include "errorpage.h"
14 #include "fde.h"
15 #include "HttpRequest.h"
16 #include "neighbors.h"
17 #include "security/BlindPeerConnector.h"
18 #include "security/NegotiationHistory.h"
19 #include "SquidConfig.h"
20 
21 CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerConnector);
22 
23 Security::FuturePeerContext *
24 Security::BlindPeerConnector::peerContext() const
25 {
26  const auto peer = serverConnection()->getPeer();
27  if (peer && peer->secure.encryptTransport)
28  return peer->securityContext();
29 
30  return Config.ssl_client.defaultPeerContext;
31 }
32 
33 bool
34 Security::BlindPeerConnector::initialize(Security::SessionPointer &serverSession)
35 {
36  if (!Security::PeerConnector::initialize(serverSession)) {
37  debugs(83, 5, "Security::PeerConnector::initialize failed");
38  return false;
39  }
40 
41  const CachePeer *peer = serverConnection()->getPeer();
42  if (peer && peer->secure.encryptTransport) {
43  assert(peer);
44 
45  // NP: domain may be a raw-IP but it is now always set
46  assert(!peer->secure.sslDomain.isEmpty());
47 
48 #if USE_OPENSSL
49  // const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor
50  SBuf *host = new SBuf(peer->secure.sslDomain);
51  SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, host);
52  Ssl::setClientSNI(serverSession.get(), host->c_str());
53 
54  Security::SetSessionResumeData(serverSession, peer->sslSession);
55  } else {
56  SBuf *hostName = new SBuf(request->url.host());
57  SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, (void*)hostName);
58  Ssl::setClientSNI(serverSession.get(), hostName->c_str());
59 #endif
60  }
61 
62  debugs(83, 5, "success");
63  return true;
64 }
65 
66 void
67 Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error)
68 {
69  auto *peer = serverConnection()->getPeer();
70 
71  if (error) {
72  debugs(83, 5, "error=" << (void*)error);
73  // XXX: FwdState calls NoteOutgoingConnectionSuccess() after an OK TCP connect, but
74  // we call noteFailure() if SSL failed afterwards. Is that OK?
75  // It is not clear whether we should call noteSuccess()/noteFailure()/etc.
76  // based on TCP results, SSL results, or both. And the code is probably not
77  // consistent in this aspect across tunnelling and forwarding modules.
78  if (peer && peer->secure.encryptTransport)
79  peer->noteFailure();
80  return;
81  }
82 
83  if (peer && peer->secure.encryptTransport) {
84  const int fd = serverConnection()->fd;
85  Security::MaybeGetSessionResumeData(fd_table[fd].ssl, peer->sslSession);
86  }
87 }
88 
89 Security::BlindPeerConnector::BlindPeerConnector(HttpRequestPointer &aRequest,
90  const Comm::ConnectionPointer &aServerConn,
91  const AsyncCallback<EncryptorAnswer> &aCallback,
92  const AccessLogEntryPointer &alp,
93  time_t timeout) :
94  AsyncJob("Security::BlindPeerConnector"),
95  Security::PeerConnector(aServerConn, aCallback, alp, timeout)
96 {
97  request = aRequest;
98 }
Security::PeerConnector::initialize
virtual bool initialize(Security::SessionPointer &)
Definition: PeerConnector.cc:139
Security::MaybeGetSessionResumeData
void MaybeGetSessionResumeData(const Security::SessionPointer &, Security::SessionStatePointer &data)
Definition: Session.cc:226
SBuf::isEmpty
bool isEmpty() const
Definition: SBuf.h:435
Security::BlindPeerConnector::BlindPeerConnector
BlindPeerConnector(HttpRequestPointer &aRequest, const Comm::ConnectionPointer &aServerConn, const AsyncCallback< EncryptorAnswer > &aCallback, const AccessLogEntryPointer &alp, time_t timeout=0)
Definition: BlindPeerConnector.cc:89
Security::PeerConnector::request
HttpRequestPointer request
peer connection trigger or cause
Definition: PeerConnector.h:165
error
void error(char *format,...)
SquidConfig::defaultPeerContext
Security::FuturePeerContext * defaultPeerContext
Definition: SquidConfig.h:506
SBuf
Definition: SBuf.h:93
AsyncCallback
a smart AsyncCall pointer for delivery of future results
Definition: AsyncCallbacks.h:31
Security::FuturePeerContext
A combination of PeerOptions and the corresponding Context.
Definition: PeerOptions.h:154
CachePeer::sslSession
Security::SessionStatePointer sslSession
Definition: CachePeer.h:223
SquidConfig::ssl_client
struct SquidConfig::@106 ssl_client
Security::BlindPeerConnector::noteNegotiationDone
void noteNegotiationDone(ErrorState *) override
Definition: BlindPeerConnector.cc:67
Comm::Connection::getPeer
CachePeer * getPeer() const
Definition: Connection.cc:121
Security::BlindPeerConnector::initialize
bool initialize(Security::SessionPointer &) override
Definition: BlindPeerConnector.cc:34
CBDATA_NAMESPACED_CLASS_INIT
CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerConnector)
assert
#define assert(EX)
Definition: assert.h:17
SBuf::c_str
const char * c_str()
Definition: SBuf.cc:516
ssl_ex_index_server
int ssl_ex_index_server
fd_table
#define fd_table
Definition: fde.h:189
Security::SessionPointer
std::shared_ptr< SSL > SessionPointer
Definition: Session.h:53
Security::BlindPeerConnector::peerContext
FuturePeerContext * peerContext() const override
Definition: BlindPeerConnector.cc:24
Security::PeerOptions::encryptTransport
bool encryptTransport
whether transport encryption (TLS/SSL) is to be used on connections to the peer
Definition: PeerOptions.h:147
CachePeer::securityContext
Security::FuturePeerContext * securityContext()
Definition: CachePeer.cc:63
Security
Network/connection security abstraction layer.
Definition: Connection.h:33
CachePeer::secure
Security::PeerOptions secure
security settings for peer connection
Definition: CachePeer.h:219
debugs
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:192
Security::PeerConnector::serverConnection
const Comm::ConnectionPointer & serverConnection() const
mimics FwdState to minimize changes to FwdState::initiate/negotiateSsl
Definition: PeerConnector.h:138
Ssl::setClientSNI
void setClientSNI(SSL *ssl, const char *fqdn)
Definition: support.cc:1161
Config
class SquidConfig Config
Definition: SquidConfig.cc:12
Security::SetSessionResumeData
void SetSessionResumeData(const Security::SessionPointer &, const Security::SessionStatePointer &)
Definition: Session.cc:247

 

Introduction

Documentation

Support

Miscellaneous