[thirdparty/squid.git] / src / security / BlindPeerConnector.cc

/*
 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#include "squid.h"
#include "AccessLogEntry.h"
#include "CachePeer.h"
#include "comm/Connection.h"
#include "errorpage.h"
#include "fde.h"
#include "HttpRequest.h"
#include "neighbors.h"
#include "security/BlindPeerConnector.h"
#include "security/NegotiationHistory.h"
#include "SquidConfig.h"

CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerConnector);

Security::ContextPointer
Security::BlindPeerConnector::getTlsContext()
{
    const CachePeer *peer = serverConnection()->getPeer();
    if (peer && peer->secure.encryptTransport)
        return peer->sslContext;

    return ::Config.ssl_client.sslContext;
}

bool
Security::BlindPeerConnector::initialize(Security::SessionPointer &serverSession)
{
    if (!Security::PeerConnector::initialize(serverSession)) {
        debugs(83, 5, "Security::PeerConnector::initialize failed");
        return false;
    }

    const CachePeer *peer = serverConnection()->getPeer();
    if (peer && peer->secure.encryptTransport) {
        assert(peer);

        // NP: domain may be a raw-IP but it is now always set
        assert(!peer->secure.sslDomain.isEmpty());

#if USE_OPENSSL
        // const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor
        SBuf *host = new SBuf(peer->secure.sslDomain);
        SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, host);
        Ssl::setClientSNI(serverSession.get(), host->c_str());

        Security::SetSessionResumeData(serverSession, peer->sslSession);
    } else {
        SBuf *hostName = new SBuf(request->url.host());
        SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, (void*)hostName);
        Ssl::setClientSNI(serverSession.get(), hostName->c_str());
#endif
    }

    debugs(83, 5, "success");
    return true;
}

void
Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error)
{
    auto *peer = serverConnection()->getPeer();

    if (error) {
        debugs(83, 5, "error=" << (void*)error);
        // XXX: FwdState calls NoteOutgoingConnectionSuccess() after an OK TCP connect, but
        // we call noteFailure() if SSL failed afterwards. Is that OK?
        // It is not clear whether we should call noteSuccess()/noteFailure()/etc.
        // based on TCP results, SSL results, or both. And the code is probably not
        // consistent in this aspect across tunnelling and forwarding modules.
        if (peer && peer->secure.encryptTransport)
            peer->noteFailure();
        return;
    }

    if (peer && peer->secure.encryptTransport) {
        const int fd = serverConnection()->fd;
        Security::MaybeGetSessionResumeData(fd_table[fd].ssl, peer->sslSession);
    }
}

Security::BlindPeerConnector::BlindPeerConnector(HttpRequestPointer &aRequest,
        const Comm::ConnectionPointer &aServerConn,
        const AsyncCallback<EncryptorAnswer> &aCallback,
        const AccessLogEntryPointer &alp,
        time_t timeout) :
    AsyncJob("Security::BlindPeerConnector"),
    Security::PeerConnector(aServerConn, aCallback, alp, timeout)
{
    request = aRequest;
}
Commit	Line	Data
32f1ca3f	1	/*
b8ae064d	2	* Copyright (C) 1996-2023 The Squid Software Foundation and contributors
32f1ca3f AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
	9	#include "squid.h"
25b0ce45	10	#include "AccessLogEntry.h"
32f1ca3f AJ	11	#include "CachePeer.h"
32f1ca3f AJ	12	#include "comm/Connection.h"
0166128b	13	#include "errorpage.h"
32f1ca3f AJ	14	#include "fde.h"
	15	#include "HttpRequest.h"
	16	#include "neighbors.h"
a72b6e88	17	#include "security/BlindPeerConnector.h"
32f1ca3f AJ	18	#include "security/NegotiationHistory.h"
32f1ca3f AJ	19	#include "SquidConfig.h"
32f1ca3f	20
a72b6e88	21	CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerConnector);
32f1ca3f	22
b23f5f9c AJ	23	Security::ContextPointer
b23f5f9c AJ	24	Security::BlindPeerConnector::getTlsContext()
32f1ca3f	25	{
f5e17947 CT	26	const CachePeer *peer = serverConnection()->getPeer();
f5e17947 CT	27	if (peer && peer->secure.encryptTransport)
b23f5f9c	28	return peer->sslContext;
f5e17947	29
b23f5f9c	30	return ::Config.ssl_client.sslContext;
32f1ca3f AJ	31	}
32f1ca3f AJ	32
eba8d9bb	33	bool
0166128b	34	Security::BlindPeerConnector::initialize(Security::SessionPointer &serverSession)
32f1ca3f	35	{
9c8549cf AJ	36	if (!Security::PeerConnector::initialize(serverSession)) {
9c8549cf AJ	37	debugs(83, 5, "Security::PeerConnector::initialize failed");
eba8d9bb	38	return false;
9c8549cf	39	}
32f1ca3f	40
f5e17947 CT	41	const CachePeer *peer = serverConnection()->getPeer();
f5e17947 CT	42	if (peer && peer->secure.encryptTransport) {
32f1ca3f AJ	43	assert(peer);
	44
	45	// NP: domain may be a raw-IP but it is now always set
	46	assert(!peer->secure.sslDomain.isEmpty());
	47
a72b6e88	48	#if USE_OPENSSL
32f1ca3f AJ	49	// const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor
32f1ca3f AJ	50	SBuf *host = new SBuf(peer->secure.sslDomain);
eba8d9bb	51	SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, host);
428819f3	52	Ssl::setClientSNI(serverSession.get(), host->c_str());
32f1ca3f	53
5d9a65df	54	Security::SetSessionResumeData(serverSession, peer->sslSession);
32f1ca3f AJ	55	} else {
32f1ca3f AJ	56	SBuf *hostName = new SBuf(request->url.host());
eba8d9bb	57	SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, (void*)hostName);
428819f3	58	Ssl::setClientSNI(serverSession.get(), hostName->c_str());
a72b6e88	59	#endif
32f1ca3f	60	}
9c8549cf AJ	61
9c8549cf AJ	62	debugs(83, 5, "success");
eba8d9bb	63	return true;
32f1ca3f AJ	64	}
	65
	66	void
a72b6e88	67	Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error)
32f1ca3f	68	{
f5e17947 CT	69	auto *peer = serverConnection()->getPeer();
f5e17947 CT	70
32f1ca3f	71	if (error) {
9c8549cf	72	debugs(83, 5, "error=" << (void*)error);
022dbabd EB	73	// XXX: FwdState calls NoteOutgoingConnectionSuccess() after an OK TCP connect, but
	74	// we call noteFailure() if SSL failed afterwards. Is that OK?
	75	// It is not clear whether we should call noteSuccess()/noteFailure()/etc.
32f1ca3f AJ	76	// based on TCP results, SSL results, or both. And the code is probably not
32f1ca3f AJ	77	// consistent in this aspect across tunnelling and forwarding modules.
f5e17947	78	if (peer && peer->secure.encryptTransport)
2e7dea3c	79	peer->noteFailure();
32f1ca3f AJ	80	return;
	81	}
	82
f5e17947	83	if (peer && peer->secure.encryptTransport) {
5d9a65df AJ	84	const int fd = serverConnection()->fd;
5d9a65df AJ	85	Security::MaybeGetSessionResumeData(fd_table[fd].ssl, peer->sslSession);
32f1ca3f AJ	86	}
	87	}
	88
2c6781d8 FC	89	Security::BlindPeerConnector::BlindPeerConnector(HttpRequestPointer &aRequest,
	90	const Comm::ConnectionPointer &aServerConn,
	91	const AsyncCallback<EncryptorAnswer> &aCallback,
	92	const AccessLogEntryPointer &alp,
	93	time_t timeout) :
	94	AsyncJob("Security::BlindPeerConnector"),
	95	Security::PeerConnector(aServerConn, aCallback, alp, timeout)
	96	{
	97	request = aRequest;
	98	}