ip/libip.la \
fs/libfs.la \
DiskIO/libdiskio.la \
+ comm/libcomm.la \
$(SSL_LIBS) \
+ security/libsecurity.la \
ipc/libipc.la \
mgr/libmgr.la \
anyp/libanyp.la \
- comm/libcomm.la \
- security/libsecurity.la \
parser/libparser.la \
eui/libeui.la \
icmp/libicmp.la \
AccessLogEntry::Pointer const &alp,
const time_t timeout = 0):
AsyncJob("Ssl::IcapPeerConnector"),
- PeerConnector(aServerConn, aCallback, alp, timeout), icapService(service) {}
+ Security::PeerConnector(aServerConn, aCallback, alp, timeout), icapService(service) {}
/* Security::PeerConnector API */
- virtual bool initializeTls(Security::SessionPointer &);
+ virtual bool initialize(Security::SessionPointer &);
virtual void noteNegotiationDone(ErrorState *error);
virtual Security::ContextPtr getSslContext() {return icapService->sslContext;}
CloseDialer(this,&Adaptation::Icap::Xaction::noteCommClosed));
comm_add_close_handler(io.conn->fd, closer);
- // If it is a reused connection and the SSL object is build
- // we should not negotiate new SSL session
+ // If it is a reused connection and the TLS object is built
+ // we should not negotiate new TLS session
const auto &ssl = fd_table[io.conn->fd].ssl;
if (!ssl && service().cfg().secure.encryptTransport) {
CbcPointer<Adaptation::Icap::Xaction> me(this);
}
bool
-Ssl::IcapPeerConnector::initializeTls(Security::SessionPointer &serverSession)
+Ssl::IcapPeerConnector::initialize(Security::SessionPointer &serverSession)
{
- if (!Security::PeerConnector::initializeTls(serverSession))
+ if (!Security::PeerConnector::initialize(serverSession))
return false;
#if USE_OPENSSL
if (answer.conn != NULL)
answer.conn->close();
debugs(93, 2, typeName <<
- " SSL negotiation to " << service().cfg().uri << " failed");
+ " TLS negotiation to " << service().cfg().uri << " failed");
service().noteConnectionFailed("failure");
detailError(ERR_DETAIL_ICAP_XACT_SSL_START);
- throw TexcHere("cannot connect to the SSL ICAP service");
+ throw TexcHere("cannot connect to the TLS ICAP service");
}
- debugs(93, 5, "SSL negotiation to " << service().cfg().uri << " complete");
+ debugs(93, 5, "TLS negotiation to " << service().cfg().uri << " complete");
service().noteConnectionUse(answer.conn);
#include "squid.h"
#include "CachePeer.h"
#include "comm/Connection.h"
+#include "errorpage.h"
#include "fde.h"
#include "HttpRequest.h"
#include "neighbors.h"
}
bool
-Security::BlindPeerConnector::initializeTls(Security::SessionPointer &serverSession)
+Security::BlindPeerConnector::initialize(Security::SessionPointer &serverSession)
{
- if (!Security::PeerConnector::initializeTls(serverSession))
+ if (!Security::PeerConnector::initialize(serverSession))
return false;
if (const CachePeer *peer = serverConnection()->getPeer()) {
* Please see the COPYING and CONTRIBUTORS files for details.
*/
-#ifndef SQUID_SRC_SSL_BLINDPEERCONNECTOR_H
-#define SQUID_SRC_SSL_BLINDPEERCONNECTOR_H
+#ifndef SQUID_SRC_SECURITY_BLINDPEERCONNECTOR_H
+#define SQUID_SRC_SECURITY_BLINDPEERCONNECTOR_H
#include "security/PeerConnector.h"
+class ErrorState;
+
namespace Security
{
/* Security::PeerConnector API */
- /// Calls parent initializeTls(), configure the created TLS session object to
- /// try reuse TLS session and sets the hostname to use for certificates validation
+ /// Calls parent initialize(), configures the created TLS session object
+ /// to try and reuse a TLS session and sets the hostname to use for
+ /// certificate validation
/// \returns true on successful initialization
- virtual bool initializeTls(Security::SessionPointer &);
+ virtual bool initialize(Security::SessionPointer &);
/// Return the configured Security::ContextPtr object
virtual Security::ContextPtr getSslContext();
- /// On error calls peerConnectFailed function, on success store the used SSL session
- /// for later use
- virtual void noteNegotiationDone(ErrorState *error);
+ /// On error calls peerConnectFailed().
+ /// On success store the used TLS session for later use.
+ virtual void noteNegotiationDone(ErrorState *);
};
} // namespace Security
-#endif /* SQUID_SRC_SSL_BLINDPEERCONNECTOR_H */
+#endif /* SQUID_SRC_SECURITY_BLINDPEERCONNECTOR_H */
AsyncJob::start();
Security::SessionPointer tmp;
- if (prepareSocket() && initializeTls(tmp))
- negotiateSsl();
+ if (prepareSocket() && initialize(tmp))
+ negotiate();
else
mustStop("Security::PeerConnector TLS socket initialize failed");
}
}
bool
-Security::PeerConnector::initializeTls(Security::SessionPointer &serverSession)
+Security::PeerConnector::initialize(Security::SessionPointer &serverSession)
{
#if USE_OPENSSL
Security::ContextPtr sslContext(getSslContext());
if (!Ssl::CreateClient(sslContext, serverConnection(), "server https start")) {
ErrorState *anErr = new ErrorState(ERR_SOCKET_FAILURE, Http::scInternalServerError, request.getRaw());
anErr->xerrno = errno;
- debugs(83, DBG_IMPORTANT, "Error allocating SSL handle: " << ERR_error_string(ERR_get_error(), NULL));
+ debugs(83, DBG_IMPORTANT, "Error allocating TLS handle: " << ERR_error_string(ERR_get_error(), NULL));
noteNegotiationDone(anErr);
bail(anErr);
return false;
}
void
-Security::PeerConnector::negotiateSsl()
+Security::PeerConnector::negotiate()
{
- if (!Comm::IsConnOpen(serverConnection()) || fd_table[serverConnection()->fd].closing())
+ if (!Comm::IsConnOpen(serverConnection()))
return;
-#if USE_OPENSSL
const int fd = serverConnection()->fd;
- Security::SessionPtr ssl = fd_table[fd].ssl.get();
- const int result = SSL_connect(ssl);
+ if (fd_table[fd].closing())
+ return;
+
+#if USE_OPENSSL
+ const int result = SSL_connect(fd_table[fd].ssl.get());
#else
const int result = -1;
#endif
void
Security::PeerConnector::NegotiateSsl(int, void *data)
{
- PeerConnector *pc = static_cast<PeerConnector*>(data);
+ PeerConnector *pc = static_cast<Security::PeerConnector *>(data);
// Use job calls to add done() checks and other job logic/protections.
- CallJobHere(83, 7, pc, Security::PeerConnector, negotiateSsl);
+ CallJobHere(83, 7, pc, Security::PeerConnector, negotiate);
}
void
// Log connection details, if any
recordNegotiationDetails();
- noteSslNegotiationError(ret, ssl_error, ssl_lib_error);
+ noteNegotiationError(ret, ssl_error, ssl_lib_error);
#endif
}
}
void
-Security::PeerConnector::noteSslNegotiationError(const int ret, const int ssl_error, const int ssl_lib_error)
+Security::PeerConnector::noteNegotiationError(const int ret, const int ssl_error, const int ssl_lib_error)
{
#if USE_OPENSSL // not used unless OpenSSL enabled.
#if defined(EPROTO)
anErr->xerrno = sysErrNo;
Security::SessionPtr ssl = fd_table[fd].ssl.get();
- Ssl::ErrorDetail *errFromFailure = (Ssl::ErrorDetail *)SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail);
+ Ssl::ErrorDetail *errFromFailure = static_cast<Ssl::ErrorDetail *>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail));
if (errFromFailure != NULL) {
// The errFromFailure is attached to the ssl object
// and will be released when ssl object destroyed.
* Please see the COPYING and CONTRIBUTORS files for details.
*/
-#ifndef SQUID_SRC_SSL_PEERCONNECTOR_H
-#define SQUID_SRC_SSL_PEERCONNECTOR_H
+#ifndef SQUID_SRC_SECURITY_PEERCONNECTOR_H
+#define SQUID_SRC_SECURITY_PEERCONNECTOR_H
#include "acl/Acl.h"
#include "base/AsyncCbdataCalls.h"
#include "base/AsyncJob.h"
#include "CommCalls.h"
+#include "http/forward.h"
#include "security/EncryptorAnswer.h"
#include "security/forward.h"
#if USE_OPENSSL
#include <iosfwd>
#include <queue>
-class HttpRequest;
class ErrorState;
class AccessLogEntry;
typedef RefCount<AccessLogEntry> AccessLogEntryPointer;
{
/**
- * Connects Squid to SSL/TLS-capable peers or services.
- * Contains common code and interfaces of various specialized PeerConnectors,
+ * Initiates encryption on a connection to peers or servers.
+ * Despite its name does not perform any connect(2) operations.
+ *
+ * Contains common code and interfaces of various specialized PeerConnector's,
* including peer certificate validation code.
\par
* The caller receives a call back with Security::EncryptorAnswer. If answer.error
- * is not nil, then there was an error and the SSL connection to the SSL peer
+ * is not nil, then there was an error and the encryption to the peer or server
* was not fully established. The error object is suitable for error response
* generation.
\par
* The caller must monitor the connection for closure because this
* job will not inform the caller about such events.
\par
- * PeerConnector class curently supports a form of SSL negotiation timeout,
- * which accounted only when sets the read timeout from SSL peer.
+ * PeerConnector class currently supports a form of TLS negotiation timeout,
+ * which is accounted only when sets the read timeout from encrypted peers/servers.
* For a complete solution, the caller must monitor the overall connection
* establishment timeout and close the connection on timeouts. This is probably
* better than having dedicated (or none at all!) timeouts for peer selection,
* DNS lookup, TCP handshake, SSL handshake, etc. Some steps may have their
* own timeout, but not all steps should be forced to have theirs.
- * XXX: tunnel.cc and probably other subsystems does not have an "overall
+ * XXX: tunnel.cc and probably other subsystems do not have an "overall
* connection establishment" timeout. We need to change their code so that they
* start monitoring earlier and close on timeouts. This change may need to be
* discussed on squid-dev.
CBDATA_CLASS(PeerConnector);
public:
- /// Callback dialier API to allow PeerConnector to set the answer.
+ /// Callback dialer API to allow PeerConnector to set the answer.
class CbDialer
{
public:
virtual Security::EncryptorAnswer &answer() = 0;
};
- typedef RefCount<HttpRequest> HttpRequestPointer;
-
public:
PeerConnector(const Comm::ConnectionPointer &aServerConn,
AsyncCall::Pointer &aCallback,
void setReadTimeout();
/// \returns true on successful TLS session initialization
- virtual bool initializeTls(Security::SessionPointer &);
+ virtual bool initialize(Security::SessionPointer &);
/// Performs a single secure connection negotiation step.
- /// It is called multiple times untill the negotiation finish or aborted.
- void negotiateSsl();
+ /// It is called multiple times untill the negotiation finishes or aborts.
+ void negotiate();
- /// Called after SSL negotiations have finished. Cleans up SSL state.
+ /// Called after negotiation has finished. Cleans up TLS/SSL state.
/// Returns false if we are now waiting for the certs validation job.
/// Otherwise, returns true, regardless of negotiation success/failure.
bool sslFinalized();
- /// Called when the SSL negotiation step aborted because data needs to
- /// be transferred to/from SSL server or on error. In the first case
+ /// Called when the negotiation step aborted because data needs to
+ /// be transferred to/from server or on error. In the first case
/// setups the appropriate Comm::SetSelect handler. In second case
/// fill an error and report to the PeerConnector caller.
void handleNegotiateError(const int result);
/// \param result the SSL_connect return code
/// \param ssl_error the error code returned from the SSL_get_error function
/// \param ssl_lib_error the error returned from the ERR_Get_Error function
- virtual void noteSslNegotiationError(const int result, const int ssl_error, const int ssl_lib_error);
+ virtual void noteNegotiationError(const int result, const int ssl_error, const int ssl_lib_error);
/// Called when the SSL negotiation to the server completed and the certificates
/// validated using the cert validator.
virtual void noteNegotiationDone(ErrorState *error) {}
/// Must implemented by the kid classes to return the Security::ContextPtr object to use
- /// for building the SSL objects.
+ /// for building the encryption context objects.
virtual Security::ContextPtr getSslContext() = 0;
/// mimics FwdState to minimize changes to FwdState::initiate/negotiateSsl
} // namespace Security
-#endif /* SQUID_SRC_SSL_PEERCONNECTOR_H */
+#endif /* SQUID_SRC_SECURITY_PEERCONNECTOR_H */
}
bool
-Ssl::PeekingPeerConnector::initializeTls(Security::SessionPointer &serverSession)
+Ssl::PeekingPeerConnector::initialize(Security::SessionPointer &serverSession)
{
- if (!Security::PeerConnector::initializeTls(serverSession))
+ if (!Security::PeerConnector::initialize(serverSession))
return false;
if (ConnStateData *csd = request->clientConnectionManager.valid()) {
}
void
-Ssl::PeekingPeerConnector::noteSslNegotiationError(const int result, const int ssl_error, const int ssl_lib_error)
+Ssl::PeekingPeerConnector::noteNegotiationError(const int result, const int ssl_error, const int ssl_lib_error)
{
const int fd = serverConnection()->fd;
Security::SessionPtr ssl = fd_table[fd].ssl.get();
}
// else call parent noteNegotiationError to produce an error page
- Security::PeerConnector::noteSslNegotiationError(result, ssl_error, ssl_lib_error);
+ Security::PeerConnector::noteNegotiationError(result, ssl_error, ssl_lib_error);
}
void
}
/* Security::PeerConnector API */
- virtual bool initializeTls(Security::SessionPointer &);
+ virtual bool initialize(Security::SessionPointer &);
virtual Security::ContextPtr getSslContext();
virtual void noteWantWrite();
- virtual void noteSslNegotiationError(const int result, const int ssl_error, const int ssl_lib_error);
+ virtual void noteNegotiationError(const int result, const int ssl_error, const int ssl_lib_error);
virtual void noteNegotiationDone(ErrorState *error);
/// Updates associated client connection manager members
CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerConnector);
namespace Security
{
-bool BlindPeerConnector::initializeTls(Security::SessionPointer &) STUB_RETVAL(false)
+bool BlindPeerConnector::initialize(Security::SessionPointer &) STUB_RETVAL(false)
Security::ContextPtr BlindPeerConnector::getSslContext() STUB_RETVAL(nullptr)
void BlindPeerConnector::noteNegotiationDone(ErrorState *) STUB
}
+
#include "security/EncryptorAnswer.h"
Security::EncryptorAnswer::~EncryptorAnswer() {}
std::ostream &Security::operator <<(std::ostream &os, const Security::EncryptorAnswer &) STUB_RETVAL(os)
void PeerConnector::connectionClosed(const char *) STUB
bool PeerConnector::prepareSocket() STUB_RETVAL(false)
void PeerConnector::setReadTimeout() STUB
-bool PeerConnector::initializeTls(Security::SessionPointer &) STUB_RETVAL(false)
-void PeerConnector::negotiateSsl() STUB
+bool PeerConnector::initialize(Security::SessionPointer &) STUB_RETVAL(false)
+void PeerConnector::negotiate() STUB
bool PeerConnector::sslFinalized() STUB_RETVAL(false)
void PeerConnector::handleNegotiateError(const int) STUB
void PeerConnector::noteWantRead() STUB
void PeerConnector::noteWantWrite() STUB
-void PeerConnector::noteSslNegotiationError(const int, const int, const int) STUB
+void PeerConnector::noteNegotiationError(const int, const int, const int) STUB
// virtual Security::ContextPtr getSslContext() = 0;
void PeerConnector::bail(ErrorState *) STUB
void PeerConnector::callBack() STUB
void connectToPeer();
private:
- /// Gives PeerConnector access to Answer in the TunnelStateData callback dialer.
+ /// Gives Security::PeerConnector access to Answer in the TunnelStateData callback dialer.
class MyAnswerDialer: public CallDialer, public Security::PeerConnector::CbDialer
{
public:
case AnyP::PROTO_HTTPS:
#if USE_OPENSSL
-
rc = 1;
-
- break;
-
#else
/*
* Squid can't originate an SSL connection, so it should
* CONNECT instead.
*/
rc = 0;
-
#endif
+ break;
default:
break;
projects / thirdparty / squid.git / commitdiff
