[thirdparty/squid.git] / src / ssl / helper.cc

/*
 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#include "squid.h"
#include "../helper.h"
#include "anyp/PortCfg.h"
#include "base/AsyncCallbacks.h"
#include "cache_cf.h"
#include "fs_io.h"
#include "helper/Reply.h"
#include "Parsing.h"
#include "sbuf/Stream.h"
#include "SquidConfig.h"
#include "ssl/cert_validate_message.h"
#include "ssl/Config.h"
#include "ssl/helper.h"
#include "wordlist.h"

#include <limits>

Ssl::CertValidationHelper::CacheType *Ssl::CertValidationHelper::HelperCache = nullptr;

#if USE_SSL_CRTD

namespace Ssl {

/// Initiator of an Ssl::Helper query.
class GeneratorRequestor {
public:
    GeneratorRequestor(HLPCB *aCallback, void *aData): callback(aCallback), data(aData) {}
    HLPCB *callback;
    CallbackData data;
};

/// A pending Ssl::Helper request, combining the original and collapsed queries.
class GeneratorRequest {
    CBDATA_CLASS(GeneratorRequest);

public:
    /// adds a GeneratorRequestor
    void emplace(HLPCB *callback, void *data) { requestors.emplace_back(callback, data); }

    SBuf query; ///< Ssl::Helper request message (GeneratorRequests key)

    /// Ssl::Helper request initiators waiting for the same answer (FIFO).
    typedef std::vector<GeneratorRequestor> GeneratorRequestors;
    GeneratorRequestors requestors;
};

/// Ssl::Helper query:GeneratorRequest map
typedef std::unordered_map<SBuf, GeneratorRequest*> GeneratorRequests;

static void HandleGeneratorReply(void *data, const ::Helper::Reply &reply);

/// pending Ssl::Helper requests (to all certificate generator helpers combined)
static GeneratorRequests &
TheGeneratorRequests()
{
    static auto generatorRequests = new GeneratorRequests();
    return *generatorRequests;
}

} // namespace Ssl

CBDATA_NAMESPACED_CLASS_INIT(Ssl, GeneratorRequest);

/// prints Ssl::GeneratorRequest for debugging
static std::ostream &
operator <<(std::ostream &os, const Ssl::GeneratorRequest &gr)
{
    return os << "crtGenRq" << gr.query.id.value << "/" << gr.requestors.size();
}

Helper::Client::Pointer Ssl::Helper::ssl_crtd;

void Ssl::Helper::Init()
{
    assert(ssl_crtd == nullptr);

    // we need to start ssl_crtd only if some port(s) need to bump SSL *and* generate certificates
    // TODO: generate host certificates for SNI enabled accel ports
    bool found = false;
    for (AnyP::PortCfgPointer s = HttpPortList; !found && s != nullptr; s = s->next)
        found = s->flags.tunnelSslBumping && s->secure.generateHostCertificates;
    if (!found)
        return;

    ssl_crtd = ::Helper::Client::Make("sslcrtd_program");
    ssl_crtd->childs.updateLimits(Ssl::TheConfig.ssl_crtdChildren);
    ssl_crtd->ipc_type = IPC_STREAM;
    // The crtd messages may contain the eol ('\n') character. We are
    // going to use the '\1' char as the end-of-message mark.
    ssl_crtd->eom = '\1';
    assert(ssl_crtd->cmdline == nullptr);
    {
        char *tmp = xstrdup(Ssl::TheConfig.ssl_crtd);
        char *tmp_begin = tmp;
        char *token = nullptr;
        while ((token = strwordtok(nullptr, &tmp))) {
            wordlistAdd(&ssl_crtd->cmdline, token);
        }
        safe_free(tmp_begin);
    }
    ssl_crtd->openSessions();
}

void Ssl::Helper::Shutdown()
{
    if (!ssl_crtd)
        return;
    helperShutdown(ssl_crtd);
    wordlistDestroy(&ssl_crtd->cmdline);
    ssl_crtd = nullptr;
}

void
Ssl::Helper::Reconfigure()
{
    Shutdown();
    Init();
}

void Ssl::Helper::Submit(CrtdMessage const & message, HLPCB * callback, void * data)
{
    SBuf rawMessage(message.compose().c_str()); // XXX: helpers cannot use SBuf
    rawMessage.append("\n", 1);

    const auto pending = TheGeneratorRequests().find(rawMessage);
    if (pending != TheGeneratorRequests().end()) {
        pending->second->emplace(callback, data);
        debugs(83, 5, "collapsed request from " << data << " onto " << *pending->second);
        return;
    }

    GeneratorRequest *request = new GeneratorRequest;
    request->query = rawMessage;
    request->emplace(callback, data);
    TheGeneratorRequests().emplace(request->query, request);
    debugs(83, 5, "request from " << data << " as " << *request);
    // ssl_crtd becomes nil if Squid is reconfigured without SslBump or
    // certificate generation disabled in the new configuration
    if (ssl_crtd && ssl_crtd->trySubmit(request->query.c_str(), HandleGeneratorReply, request))
        return;

    ::Helper::Reply failReply(::Helper::BrokenHelper);
    failReply.notes.add("message", "error 45 Temporary network problem, please retry later");
    HandleGeneratorReply(request, failReply);
}

/// receives helper response
static void
Ssl::HandleGeneratorReply(void *data, const ::Helper::Reply &reply)
{
    const std::unique_ptr<Ssl::GeneratorRequest> request(static_cast<Ssl::GeneratorRequest*>(data));
    assert(request);
    const auto erased = TheGeneratorRequests().erase(request->query);
    assert(erased);

    for (auto &requestor: request->requestors) {
        if (void *cbdata = requestor.data.validDone()) {
            debugs(83, 5, "to " << cbdata << " in " << *request);
            requestor.callback(cbdata, reply);
        }
    }
}
#endif //USE_SSL_CRTD

Helper::Client::Pointer Ssl::CertValidationHelper::ssl_crt_validator;

void Ssl::CertValidationHelper::Init()
{
    if (!Ssl::TheConfig.ssl_crt_validator)
        return;

    assert(ssl_crt_validator == nullptr);

    // we need to start ssl_crtd only if some port(s) need to bump SSL
    bool found = false;
    for (AnyP::PortCfgPointer s = HttpPortList; !found && s != nullptr; s = s->next)
        found = s->flags.tunnelSslBumping;
    if (!found)
        return;

    ssl_crt_validator = ::Helper::Client::Make("ssl_crt_validator");
    ssl_crt_validator->childs.updateLimits(Ssl::TheConfig.ssl_crt_validator_Children);
    ssl_crt_validator->ipc_type = IPC_STREAM;
    // The crtd messages may contain the eol ('\n') character. We are
    // going to use the '\1' char as the end-of-message mark.
    ssl_crt_validator->eom = '\1';
    assert(ssl_crt_validator->cmdline == nullptr);

    /* defaults */
    int ttl = 3600; // 1 hour
    size_t cache = 64*1024*1024; // 64 MB
    {
        // TODO: Do this during parseConfigFile() for proper parsing, error handling
        char *tmp = xstrdup(Ssl::TheConfig.ssl_crt_validator);
        char *tmp_begin = tmp;
        char * token = nullptr;
        bool parseParams = true;
        while ((token = strwordtok(nullptr, &tmp))) {
            if (parseParams) {
                if (strcmp(token, "ttl=infinity") == 0) {
                    ttl = std::numeric_limits<CacheType::Ttl>::max();
                    continue;
                } else if (strncmp(token, "ttl=", 4) == 0) {
                    ttl = xatoi(token + 4);
                    if (ttl < 0) {
                        throw TextException(ToSBuf("Negative TTL in sslcrtvalidator_program ", Ssl::TheConfig.ssl_crt_validator,
                                                   Debug::Extra, "For unlimited TTL, use ttl=infinity"),
                                            Here());
                    }
                    continue;
                } else if (strncmp(token, "cache=", 6) == 0) {
                    cache = xatoi(token + 6);
                    continue;
                } else
                    parseParams = false;
            }
            wordlistAdd(&ssl_crt_validator->cmdline, token);
        }
        xfree(tmp_begin);
    }
    ssl_crt_validator->openSessions();

    //WARNING: initializing static member in an object initialization method
    assert(HelperCache == nullptr);
    HelperCache = new CacheType(cache, ttl);
}

void Ssl::CertValidationHelper::Shutdown()
{
    if (!ssl_crt_validator)
        return;
    helperShutdown(ssl_crt_validator);
    wordlistDestroy(&ssl_crt_validator->cmdline);
    ssl_crt_validator = nullptr;

    // CertValidationHelper::HelperCache is a static member, it is not good policy to
    // reset it here. Will work because the current Ssl::CertValidationHelper is
    // always the same static object.
    delete HelperCache;
    HelperCache = nullptr;
}

void
Ssl::CertValidationHelper::Reconfigure()
{
    Shutdown();
    Init();
}

class submitData
{
    CBDATA_CLASS(submitData);

public:
    SBuf query;
    Ssl::CertValidationHelper::Callback callback;
    Security::SessionPointer ssl;
};
CBDATA_CLASS_INIT(submitData);

static void
sslCrtvdHandleReplyWrapper(void *data, const ::Helper::Reply &reply)
{
    Ssl::CertValidationMsg replyMsg(Ssl::CrtdMessage::REPLY);

    submitData *crtdvdData = static_cast<submitData *>(data);
    assert(crtdvdData->ssl.get());
    Ssl::CertValidationResponse::Pointer validationResponse = new Ssl::CertValidationResponse(crtdvdData->ssl);
    if (reply.result == ::Helper::BrokenHelper) {
        debugs(83, DBG_IMPORTANT, "ERROR: \"ssl_crtvd\" helper error response: " << reply.other().content());
        validationResponse->resultCode = ::Helper::BrokenHelper;
    } else if (!reply.other().hasContent()) {
        debugs(83, DBG_IMPORTANT, "\"ssl_crtvd\" helper returned NULL response");
        validationResponse->resultCode = ::Helper::BrokenHelper;
    } else if (replyMsg.parse(reply.other().content(), reply.other().contentSize()) != Ssl::CrtdMessage::OK ||
               !replyMsg.parseResponse(*validationResponse) ) {
        debugs(83, DBG_IMPORTANT, "WARNING: Reply from ssl_crtvd for " << " is incorrect");
        debugs(83, DBG_IMPORTANT, "ERROR: Certificate cannot be validated. ssl_crtvd response: " << replyMsg.getBody());
        validationResponse->resultCode = ::Helper::BrokenHelper;
    } else
        validationResponse->resultCode = reply.result;

    crtdvdData->callback.answer() = validationResponse;
    ScheduleCallHere(crtdvdData->callback.release());

    if (Ssl::CertValidationHelper::HelperCache &&
            (validationResponse->resultCode == ::Helper::Okay || validationResponse->resultCode == ::Helper::Error)) {
        (void)Ssl::CertValidationHelper::HelperCache->add(crtdvdData->query, validationResponse);
    }

    delete crtdvdData;
}

void
Ssl::CertValidationHelper::Submit(const Ssl::CertValidationRequest &request, const Callback &callback)
{
    Ssl::CertValidationMsg message(Ssl::CrtdMessage::REQUEST);
    message.setCode(Ssl::CertValidationMsg::code_cert_validate);
    message.composeRequest(request);
    debugs(83, 5, "SSL crtvd request: " << message.compose().c_str());

    submitData *crtdvdData = new submitData;
    crtdvdData->query.assign(message.compose().c_str());
    crtdvdData->query.append('\n');
    crtdvdData->callback = callback;
    crtdvdData->ssl = request.ssl;
    Ssl::CertValidationResponse::Pointer const*validationResponse;

    if (CertValidationHelper::HelperCache &&
            (validationResponse = CertValidationHelper::HelperCache->get(crtdvdData->query))) {

        crtdvdData->callback.answer() = *validationResponse;
        ScheduleCallHere(crtdvdData->callback.release());
        delete crtdvdData;
        return;
    }

    // ssl_crt_validator becomes nil if Squid is reconfigured with cert
    // validator disabled in the new configuration
    if (ssl_crt_validator && ssl_crt_validator->trySubmit(crtdvdData->query.c_str(), sslCrtvdHandleReplyWrapper, crtdvdData))
        return;

    Ssl::CertValidationResponse::Pointer resp = new Ssl::CertValidationResponse(crtdvdData->ssl);
    resp->resultCode = ::Helper::BrokenHelper;
    crtdvdData->callback.answer() = resp;
    ScheduleCallHere(crtdvdData->callback.release());
    delete crtdvdData;
    return;
}
Commit	Line	Data
	1	/*
	2	* Copyright (C) 1996-2025 The Squid Software Foundation and contributors
	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
	9	#include "squid.h"
	10	#include "../helper.h"
	11	#include "anyp/PortCfg.h"
	12	#include "base/AsyncCallbacks.h"
	13	#include "cache_cf.h"
	14	#include "fs_io.h"
	15	#include "helper/Reply.h"
	16	#include "Parsing.h"
	17	#include "sbuf/Stream.h"
	18	#include "SquidConfig.h"
	19	#include "ssl/cert_validate_message.h"
	20	#include "ssl/Config.h"
	21	#include "ssl/helper.h"
	22	#include "wordlist.h"
	23
	24	#include <limits>
	25
	26	Ssl::CertValidationHelper::CacheType *Ssl::CertValidationHelper::HelperCache = nullptr;
	27
	28	#if USE_SSL_CRTD
	29
	30	namespace Ssl {
	31
	32	/// Initiator of an Ssl::Helper query.
	33	class GeneratorRequestor {
	34	public:
	35	GeneratorRequestor(HLPCB aCallback, void aData): callback(aCallback), data(aData) {}
	36	HLPCB *callback;
	37	CallbackData data;
	38	};
	39
	40	/// A pending Ssl::Helper request, combining the original and collapsed queries.
	41	class GeneratorRequest {
	42	CBDATA_CLASS(GeneratorRequest);
	43
	44	public:
	45	/// adds a GeneratorRequestor
	46	void emplace(HLPCB callback, void data) { requestors.emplace_back(callback, data); }
	47
	48	SBuf query; ///< Ssl::Helper request message (GeneratorRequests key)
	49
	50	/// Ssl::Helper request initiators waiting for the same answer (FIFO).
	51	typedef std::vector<GeneratorRequestor> GeneratorRequestors;
	52	GeneratorRequestors requestors;
	53	};
	54
	55	/// Ssl::Helper query:GeneratorRequest map
	56	typedef std::unordered_map<SBuf, GeneratorRequest*> GeneratorRequests;
	57
	58	static void HandleGeneratorReply(void *data, const ::Helper::Reply &reply);
	59
	60	/// pending Ssl::Helper requests (to all certificate generator helpers combined)
	61	static GeneratorRequests &
	62	TheGeneratorRequests()
	63	{
	64	static auto generatorRequests = new GeneratorRequests();
	65	return *generatorRequests;
	66	}
	67
	68	} // namespace Ssl
	69
	70	CBDATA_NAMESPACED_CLASS_INIT(Ssl, GeneratorRequest);
	71
	72	/// prints Ssl::GeneratorRequest for debugging
	73	static std::ostream &
	74	operator <<(std::ostream &os, const Ssl::GeneratorRequest &gr)
	75	{
	76	return os << "crtGenRq" << gr.query.id.value << "/" << gr.requestors.size();
	77	}
	78
	79	Helper::Client::Pointer Ssl::Helper::ssl_crtd;
	80
	81	void Ssl::Helper::Init()
	82	{
	83	assert(ssl_crtd == nullptr);
	84
	85	// we need to start ssl_crtd only if some port(s) need to bump SSL and generate certificates
	86	// TODO: generate host certificates for SNI enabled accel ports
	87	bool found = false;
	88	for (AnyP::PortCfgPointer s = HttpPortList; !found && s != nullptr; s = s->next)
	89	found = s->flags.tunnelSslBumping && s->secure.generateHostCertificates;
	90	if (!found)
	91	return;
	92
	93	ssl_crtd = ::Helper::Client::Make("sslcrtd_program");
	94	ssl_crtd->childs.updateLimits(Ssl::TheConfig.ssl_crtdChildren);
	95	ssl_crtd->ipc_type = IPC_STREAM;
	96	// The crtd messages may contain the eol ('\n') character. We are
	97	// going to use the '\1' char as the end-of-message mark.
	98	ssl_crtd->eom = '\1';
	99	assert(ssl_crtd->cmdline == nullptr);
	100	{
	101	char *tmp = xstrdup(Ssl::TheConfig.ssl_crtd);
	102	char *tmp_begin = tmp;
	103	char *token = nullptr;
	104	while ((token = strwordtok(nullptr, &tmp))) {
	105	wordlistAdd(&ssl_crtd->cmdline, token);
	106	}
	107	safe_free(tmp_begin);
	108	}
	109	ssl_crtd->openSessions();
	110	}
	111
	112	void Ssl::Helper::Shutdown()
	113	{
	114	if (!ssl_crtd)
	115	return;
	116	helperShutdown(ssl_crtd);
	117	wordlistDestroy(&ssl_crtd->cmdline);
	118	ssl_crtd = nullptr;
	119	}
	120
	121	void
	122	Ssl::Helper::Reconfigure()
	123	{
	124	Shutdown();
	125	Init();
	126	}
	127
	128	void Ssl::Helper::Submit(CrtdMessage const & message, HLPCB * callback, void * data)
	129	{
	130	SBuf rawMessage(message.compose().c_str()); // XXX: helpers cannot use SBuf
	131	rawMessage.append("\n", 1);
	132
	133	const auto pending = TheGeneratorRequests().find(rawMessage);
	134	if (pending != TheGeneratorRequests().end()) {
	135	pending->second->emplace(callback, data);
	136	debugs(83, 5, "collapsed request from " << data << " onto " << *pending->second);
	137	return;
	138	}
	139
	140	GeneratorRequest *request = new GeneratorRequest;
	141	request->query = rawMessage;
	142	request->emplace(callback, data);
	143	TheGeneratorRequests().emplace(request->query, request);
	144	debugs(83, 5, "request from " << data << " as " << *request);
	145	// ssl_crtd becomes nil if Squid is reconfigured without SslBump or
	146	// certificate generation disabled in the new configuration
	147	if (ssl_crtd && ssl_crtd->trySubmit(request->query.c_str(), HandleGeneratorReply, request))
	148	return;
	149
	150	::Helper::Reply failReply(::Helper::BrokenHelper);
	151	failReply.notes.add("message", "error 45 Temporary network problem, please retry later");
	152	HandleGeneratorReply(request, failReply);
	153	}
	154
	155	/// receives helper response
	156	static void
	157	Ssl::HandleGeneratorReply(void *data, const ::Helper::Reply &reply)
	158	{
	159	const std::unique_ptr<Ssl::GeneratorRequest> request(static_cast<Ssl::GeneratorRequest*>(data));
	160	assert(request);
	161	const auto erased = TheGeneratorRequests().erase(request->query);
	162	assert(erased);
	163
	164	for (auto &requestor: request->requestors) {
	165	if (void *cbdata = requestor.data.validDone()) {
	166	debugs(83, 5, "to " << cbdata << " in " << *request);
	167	requestor.callback(cbdata, reply);
	168	}
	169	}
	170	}
	171	#endif //USE_SSL_CRTD
	172
	173	Helper::Client::Pointer Ssl::CertValidationHelper::ssl_crt_validator;
	174
	175	void Ssl::CertValidationHelper::Init()
	176	{
	177	if (!Ssl::TheConfig.ssl_crt_validator)
	178	return;
	179
	180	assert(ssl_crt_validator == nullptr);
	181
	182	// we need to start ssl_crtd only if some port(s) need to bump SSL
	183	bool found = false;
	184	for (AnyP::PortCfgPointer s = HttpPortList; !found && s != nullptr; s = s->next)
	185	found = s->flags.tunnelSslBumping;
	186	if (!found)
	187	return;
	188
	189	ssl_crt_validator = ::Helper::Client::Make("ssl_crt_validator");
	190	ssl_crt_validator->childs.updateLimits(Ssl::TheConfig.ssl_crt_validator_Children);
	191	ssl_crt_validator->ipc_type = IPC_STREAM;
	192	// The crtd messages may contain the eol ('\n') character. We are
	193	// going to use the '\1' char as the end-of-message mark.
	194	ssl_crt_validator->eom = '\1';
	195	assert(ssl_crt_validator->cmdline == nullptr);
	196
	197	/* defaults */
	198	int ttl = 3600; // 1 hour
	199	size_t cache = 6410241024; // 64 MB
	200	{
	201	// TODO: Do this during parseConfigFile() for proper parsing, error handling
	202	char *tmp = xstrdup(Ssl::TheConfig.ssl_crt_validator);
	203	char *tmp_begin = tmp;
	204	char * token = nullptr;
	205	bool parseParams = true;
	206	while ((token = strwordtok(nullptr, &tmp))) {
	207	if (parseParams) {
	208	if (strcmp(token, "ttl=infinity") == 0) {
	209	ttl = std::numeric_limits<CacheType::Ttl>::max();
	210	continue;
	211	} else if (strncmp(token, "ttl=", 4) == 0) {
	212	ttl = xatoi(token + 4);
	213	if (ttl < 0) {
	214	throw TextException(ToSBuf("Negative TTL in sslcrtvalidator_program ", Ssl::TheConfig.ssl_crt_validator,
	215	Debug::Extra, "For unlimited TTL, use ttl=infinity"),
	216	Here());
	217	}
	218	continue;
	219	} else if (strncmp(token, "cache=", 6) == 0) {
	220	cache = xatoi(token + 6);
	221	continue;
	222	} else
	223	parseParams = false;
	224	}
	225	wordlistAdd(&ssl_crt_validator->cmdline, token);
	226	}
	227	xfree(tmp_begin);
	228	}
	229	ssl_crt_validator->openSessions();
	230
	231	//WARNING: initializing static member in an object initialization method
	232	assert(HelperCache == nullptr);
	233	HelperCache = new CacheType(cache, ttl);
	234	}
	235
	236	void Ssl::CertValidationHelper::Shutdown()
	237	{
	238	if (!ssl_crt_validator)
	239	return;
	240	helperShutdown(ssl_crt_validator);
	241	wordlistDestroy(&ssl_crt_validator->cmdline);
	242	ssl_crt_validator = nullptr;
	243
	244	// CertValidationHelper::HelperCache is a static member, it is not good policy to
	245	// reset it here. Will work because the current Ssl::CertValidationHelper is
	246	// always the same static object.
	247	delete HelperCache;
	248	HelperCache = nullptr;
	249	}
	250
	251	void
	252	Ssl::CertValidationHelper::Reconfigure()
	253	{
	254	Shutdown();
	255	Init();
	256	}
	257
	258	class submitData
	259	{
	260	CBDATA_CLASS(submitData);
	261
	262	public:
	263	SBuf query;
	264	Ssl::CertValidationHelper::Callback callback;
	265	Security::SessionPointer ssl;
	266	};
	267	CBDATA_CLASS_INIT(submitData);
	268
	269	static void
	270	sslCrtvdHandleReplyWrapper(void *data, const ::Helper::Reply &reply)
	271	{
	272	Ssl::CertValidationMsg replyMsg(Ssl::CrtdMessage::REPLY);
	273
	274	submitData crtdvdData = static_cast<submitData >(data);
	275	assert(crtdvdData->ssl.get());
	276	Ssl::CertValidationResponse::Pointer validationResponse = new Ssl::CertValidationResponse(crtdvdData->ssl);
	277	if (reply.result == ::Helper::BrokenHelper) {
	278	debugs(83, DBG_IMPORTANT, "ERROR: \"ssl_crtvd\" helper error response: " << reply.other().content());
	279	validationResponse->resultCode = ::Helper::BrokenHelper;
	280	} else if (!reply.other().hasContent()) {
	281	debugs(83, DBG_IMPORTANT, "\"ssl_crtvd\" helper returned NULL response");
	282	validationResponse->resultCode = ::Helper::BrokenHelper;
	283	} else if (replyMsg.parse(reply.other().content(), reply.other().contentSize()) != Ssl::CrtdMessage::OK \|\|
	284	!replyMsg.parseResponse(*validationResponse) ) {
	285	debugs(83, DBG_IMPORTANT, "WARNING: Reply from ssl_crtvd for " << " is incorrect");
	286	debugs(83, DBG_IMPORTANT, "ERROR: Certificate cannot be validated. ssl_crtvd response: " << replyMsg.getBody());
	287	validationResponse->resultCode = ::Helper::BrokenHelper;
	288	} else
	289	validationResponse->resultCode = reply.result;
	290
	291	crtdvdData->callback.answer() = validationResponse;
	292	ScheduleCallHere(crtdvdData->callback.release());
	293
	294	if (Ssl::CertValidationHelper::HelperCache &&
	295	(validationResponse->resultCode == ::Helper::Okay \|\| validationResponse->resultCode == ::Helper::Error)) {
	296	(void)Ssl::CertValidationHelper::HelperCache->add(crtdvdData->query, validationResponse);
	297	}
	298
	299	delete crtdvdData;
	300	}
	301
	302	void
	303	Ssl::CertValidationHelper::Submit(const Ssl::CertValidationRequest &request, const Callback &callback)
	304	{
	305	Ssl::CertValidationMsg message(Ssl::CrtdMessage::REQUEST);
	306	message.setCode(Ssl::CertValidationMsg::code_cert_validate);
	307	message.composeRequest(request);
	308	debugs(83, 5, "SSL crtvd request: " << message.compose().c_str());
	309
	310	submitData *crtdvdData = new submitData;
	311	crtdvdData->query.assign(message.compose().c_str());
	312	crtdvdData->query.append('\n');
	313	crtdvdData->callback = callback;
	314	crtdvdData->ssl = request.ssl;
	315	Ssl::CertValidationResponse::Pointer const*validationResponse;
	316
	317	if (CertValidationHelper::HelperCache &&
	318	(validationResponse = CertValidationHelper::HelperCache->get(crtdvdData->query))) {
	319
	320	crtdvdData->callback.answer() = *validationResponse;
	321	ScheduleCallHere(crtdvdData->callback.release());
	322	delete crtdvdData;
	323	return;
	324	}
	325
	326	// ssl_crt_validator becomes nil if Squid is reconfigured with cert
	327	// validator disabled in the new configuration
	328	if (ssl_crt_validator && ssl_crt_validator->trySubmit(crtdvdData->query.c_str(), sslCrtvdHandleReplyWrapper, crtdvdData))
	329	return;
	330
	331	Ssl::CertValidationResponse::Pointer resp = new Ssl::CertValidationResponse(crtdvdData->ssl);
	332	resp->resultCode = ::Helper::BrokenHelper;
	333	crtdvdData->callback.answer() = resp;
	334	ScheduleCallHere(crtdvdData->callback.release());
	335	delete crtdvdData;
	336	return;
	337	}
	338