]>
Commit | Line | Data |
---|---|---|
32f1ca3f | 1 | /* |
b8ae064d | 2 | * Copyright (C) 1996-2023 The Squid Software Foundation and contributors |
32f1ca3f AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
9 | #include "squid.h" | |
25b0ce45 | 10 | #include "AccessLogEntry.h" |
32f1ca3f AJ |
11 | #include "CachePeer.h" |
12 | #include "comm/Connection.h" | |
0166128b | 13 | #include "errorpage.h" |
32f1ca3f AJ |
14 | #include "fde.h" |
15 | #include "HttpRequest.h" | |
16 | #include "neighbors.h" | |
a72b6e88 | 17 | #include "security/BlindPeerConnector.h" |
32f1ca3f AJ |
18 | #include "security/NegotiationHistory.h" |
19 | #include "SquidConfig.h" | |
32f1ca3f | 20 | |
a72b6e88 | 21 | CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerConnector); |
32f1ca3f | 22 | |
908634e8 AR |
23 | Security::FuturePeerContext * |
24 | Security::BlindPeerConnector::peerContext() const | |
32f1ca3f | 25 | { |
908634e8 | 26 | const auto peer = serverConnection()->getPeer(); |
f5e17947 | 27 | if (peer && peer->secure.encryptTransport) |
908634e8 | 28 | return peer->securityContext(); |
f5e17947 | 29 | |
908634e8 | 30 | return Config.ssl_client.defaultPeerContext; |
32f1ca3f AJ |
31 | } |
32 | ||
eba8d9bb | 33 | bool |
0166128b | 34 | Security::BlindPeerConnector::initialize(Security::SessionPointer &serverSession) |
32f1ca3f | 35 | { |
9c8549cf AJ |
36 | if (!Security::PeerConnector::initialize(serverSession)) { |
37 | debugs(83, 5, "Security::PeerConnector::initialize failed"); | |
eba8d9bb | 38 | return false; |
9c8549cf | 39 | } |
32f1ca3f | 40 | |
f5e17947 CT |
41 | const CachePeer *peer = serverConnection()->getPeer(); |
42 | if (peer && peer->secure.encryptTransport) { | |
32f1ca3f AJ |
43 | assert(peer); |
44 | ||
45 | // NP: domain may be a raw-IP but it is now always set | |
46 | assert(!peer->secure.sslDomain.isEmpty()); | |
47 | ||
a72b6e88 | 48 | #if USE_OPENSSL |
32f1ca3f AJ |
49 | // const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor |
50 | SBuf *host = new SBuf(peer->secure.sslDomain); | |
eba8d9bb | 51 | SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, host); |
428819f3 | 52 | Ssl::setClientSNI(serverSession.get(), host->c_str()); |
32f1ca3f | 53 | |
5d9a65df | 54 | Security::SetSessionResumeData(serverSession, peer->sslSession); |
32f1ca3f AJ |
55 | } else { |
56 | SBuf *hostName = new SBuf(request->url.host()); | |
eba8d9bb | 57 | SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, (void*)hostName); |
428819f3 | 58 | Ssl::setClientSNI(serverSession.get(), hostName->c_str()); |
a72b6e88 | 59 | #endif |
32f1ca3f | 60 | } |
9c8549cf AJ |
61 | |
62 | debugs(83, 5, "success"); | |
eba8d9bb | 63 | return true; |
32f1ca3f AJ |
64 | } |
65 | ||
66 | void | |
a72b6e88 | 67 | Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error) |
32f1ca3f | 68 | { |
f5e17947 CT |
69 | auto *peer = serverConnection()->getPeer(); |
70 | ||
32f1ca3f | 71 | if (error) { |
9c8549cf | 72 | debugs(83, 5, "error=" << (void*)error); |
022dbabd EB |
73 | // XXX: FwdState calls NoteOutgoingConnectionSuccess() after an OK TCP connect, but |
74 | // we call noteFailure() if SSL failed afterwards. Is that OK? | |
75 | // It is not clear whether we should call noteSuccess()/noteFailure()/etc. | |
32f1ca3f AJ |
76 | // based on TCP results, SSL results, or both. And the code is probably not |
77 | // consistent in this aspect across tunnelling and forwarding modules. | |
f5e17947 | 78 | if (peer && peer->secure.encryptTransport) |
2e7dea3c | 79 | peer->noteFailure(); |
32f1ca3f AJ |
80 | return; |
81 | } | |
82 | ||
f5e17947 | 83 | if (peer && peer->secure.encryptTransport) { |
5d9a65df AJ |
84 | const int fd = serverConnection()->fd; |
85 | Security::MaybeGetSessionResumeData(fd_table[fd].ssl, peer->sslSession); | |
32f1ca3f AJ |
86 | } |
87 | } | |
88 | ||
2c6781d8 FC |
89 | Security::BlindPeerConnector::BlindPeerConnector(HttpRequestPointer &aRequest, |
90 | const Comm::ConnectionPointer &aServerConn, | |
91 | const AsyncCallback<EncryptorAnswer> &aCallback, | |
92 | const AccessLogEntryPointer &alp, | |
93 | time_t timeout) : | |
94 | AsyncJob("Security::BlindPeerConnector"), | |
95 | Security::PeerConnector(aServerConn, aCallback, alp, timeout) | |
96 | { | |
97 | request = aRequest; | |
98 | } |