/*
- * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
+ * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
#if USE_OPENSSL
+#include "compat/openssl.h"
+#include "FadingCounter.h"
#include "fd.h"
+#include "MemBuf.h"
#include "security/Handshake.h"
+#include "ssl/support.h"
#include <iosfwd>
#include <list>
class ClientBio: public Bio
{
public:
- explicit ClientBio(const int anFd): Bio(anFd), holdRead_(false), holdWrite_(false), helloSize(0) {}
+ explicit ClientBio(const int anFd);
/// The ClientBio version of the Ssl::Bio::stateChanged method
/// When the client hello message retrieved, fill the
/// by the caller.
void setReadBufData(SBuf &data) {rbuf = data;}
private:
+ /// approximate size of a time window for computing client-initiated renegotiation rate (in seconds)
+ static const time_t RenegotiationsWindow = 10;
+
+ /// the maximum tolerated number of client-initiated renegotiations in RenegotiationsWindow
+ static const int RenegotiationsLimit = 5;
+
bool holdRead_; ///< The read hold state of the bio.
bool holdWrite_; ///< The write hold state of the bio.
int helloSize; ///< The SSL hello message sent by client size
+ FadingCounter renegotiations; ///< client requested renegotiations limit control
+
+ /// why we should terminate the connection during next TLS operation (or nil)
+ const char *abortReason;
};
/// BIO node to handle socket IO for squid server side
/// SSL client features extracted from ClientHello message or SSL object
Security::TlsDetails::Pointer clientTlsDetails;
/// TLS client hello message, used to adapt our tls Hello message to the server
- SBuf clientHelloMessage;
+ SBuf clientSentHello;
SBuf helloMsg; ///< Used to buffer output data.
mb_size_t helloMsgSize;
bool helloBuild; ///< True if the client hello message sent to the server
void
applyTlsDetailsToSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, Ssl::BumpMode bumpMode);
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-// OpenSSL v1.0 bio compatibility functions
-inline void *BIO_get_data(BIO *table) { return table->ptr; }
-inline void BIO_set_data(BIO *table, void *data) { table->ptr = data; }
-inline int BIO_get_init(BIO *table) { return table->init; }
-inline void BIO_set_init(BIO *table, int init) { table->init = init; }
-#endif
-
#endif /* USE_OPENSSL */
#endif /* SQUID_SSL_BIO_H */