src/ssl/PeekingPeerConnector.h

   1 /*
   2  * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 #ifndef SQUID_SRC_SSL_PEEKINGPEERCONNECTOR_H
  10 #define SQUID_SRC_SSL_PEEKINGPEERCONNECTOR_H
  11
  12 #include "security/PeerConnector.h"
  13
  14 #if USE_OPENSSL
  15
  16 namespace Ssl
  17 {
  18
  19 /// A PeerConnector for HTTP origin servers. Capable of SslBumping.
  20 class PeekingPeerConnector: public Security::PeerConnector {
  21     CBDATA_CLASS(PeekingPeerConnector);
  22 public:
  23     PeekingPeerConnector(HttpRequestPointer &aRequest,
  24                          const Comm::ConnectionPointer &aServerConn,
  25                          const Comm::ConnectionPointer &aClientConn,
  26                          AsyncCall::Pointer &aCallback,
  27                          const AccessLogEntryPointer &alp,
  28                          const time_t timeout = 0) :
  29         AsyncJob("Ssl::PeekingPeerConnector"),
  30         Security::PeerConnector(aServerConn, aCallback, alp, timeout),
  31         clientConn(aClientConn),
  32         splice(false),
  33         resumingSession(false),
  34         serverCertificateHandled(false)
  35     {
  36         request = aRequest;
  37     }
  38
  39     /* Security::PeerConnector API */
  40     virtual bool initialize(Security::SessionPointer &);
  41     virtual Security::ContextPointer getTlsContext();
  42     virtual void noteWantWrite();
  43     virtual void noteNegotiationError(const int result, const int ssl_error, const int ssl_lib_error);
  44     virtual void noteNegotiationDone(ErrorState *error);
  45
  46     /// Updates associated client connection manager members
  47     /// if the server certificate was received from the server.
  48     void handleServerCertificate();
  49
  50     /// Initiates the ssl_bump acl check in step3 SSL bump step to decide
  51     /// about bumping, splicing or terminating the connection.
  52     void checkForPeekAndSplice();
  53
  54     /// Callback function for ssl_bump acl check in step3  SSL bump step.
  55     void checkForPeekAndSpliceDone(allow_t answer);
  56
  57     /// Handles the final bumping decision.
  58     void checkForPeekAndSpliceMatched(const Ssl::BumpMode finalMode);
  59
  60     /// Guesses the final bumping decision when no ssl_bump rules match.
  61     Ssl::BumpMode checkForPeekAndSpliceGuess() const;
  62
  63     /// Runs after the server certificate verified to update client
  64     /// connection manager members
  65     void serverCertificateVerified();
  66
  67     /// A wrapper function for checkForPeekAndSpliceDone for use with acl
  68     static void cbCheckForPeekAndSpliceDone(allow_t answer, void *data);
  69
  70 private:
  71
  72     /// Inform caller class that the SSL negotiation aborted
  73     void tunnelInsteadOfNegotiating();
  74
  75     Comm::ConnectionPointer clientConn; ///< TCP connection to the client
  76     AsyncCall::Pointer closeHandler; ///< we call this when the connection closed
  77     bool splice; ///< whether we are going to splice or not
  78     bool resumingSession; ///< whether it is an SSL resuming session connection
  79     bool serverCertificateHandled; ///< whether handleServerCertificate() succeeded
  80 };
  81
  82 } // namespace Ssl
  83
  84 #endif /* USE_OPENSSL */
  85 #endif /* SQUID_SRC_SSL_PEEKINGPEERCONNECTOR_H */
  86