}
#if USE_OPENSSL
-
-/** Create SSL connection structure and update fd_table */
+/// Create TLS connection structure and update fd_table
static bool
httpsCreate(const Comm::ConnectionPointer &conn, const Security::ContextPointer &ctx)
{
- if (Ssl::CreateServer(ctx, conn, "client https start")) {
- debugs(33, 5, "will negotate SSL on " << conn);
+ if (Security::CreateServerSession(ctx, conn, "client https start")) {
+ debugs(33, 5, "will negotate TLS on " << conn);
return true;
}
Security::ContextPointer ctx(getTlsContext());
assert(ctx);
- if (!Ssl::CreateClient(ctx, serverConnection(), "server https start")) {
+ if (!Security::CreateClientSession(ctx, serverConnection(), "server https start")) {
ErrorState *anErr = new ErrorState(ERR_SOCKET_FAILURE, Http::scInternalServerError, request.getRaw());
anErr->xerrno = errno;
debugs(83, DBG_IMPORTANT, "Error allocating TLS handle: " << ERR_error_string(ERR_get_error(), NULL));
#include "anyp/PortCfg.h"
#include "base/RunnersRegistry.h"
#include "Debug.h"
+#include "fde.h"
#include "ipc/MemMap.h"
#include "security/Session.h"
#include "SquidConfig.h"
+#include "ssl/bio.h"
#define SSL_SESSION_ID_SIZE 32
#define SSL_SESSION_MAX_SIZE 10*1024
+static bool
+CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &conn, Security::Io::Type type, const char *squidCtx)
+{
+ if (!Comm::IsConnOpen(conn)) {
+ debugs(83, DBG_IMPORTANT, "Gone connection");
+ return false;
+ }
+
+ const char *errAction = "with no TLS/SSL library";
+#if USE_OPENSSL
+ int errCode = 0;
+ if (auto ssl = SSL_new(ctx.get())) {
+ const int fd = conn->fd;
+ // without BIO, we would call SSL_set_fd(ssl, fd) instead
+ if (BIO *bio = Ssl::Bio::Create(fd, type)) {
+ Ssl::Bio::Link(ssl, bio); // cannot fail
+
+ fd_table[fd].ssl.resetWithoutLocking(ssl);
+ fd_table[fd].read_method = &ssl_read_method;
+ fd_table[fd].write_method = &ssl_write_method;
+ fd_note(fd, squidCtx);
+ return true;
+ }
+ errCode = ERR_get_error();
+ errAction = "failed to initialize I/O";
+ SSL_free(ssl);
+ } else {
+ errCode = ERR_get_error();
+ errAction = "failed to allocate handle";
+ }
+ debugs(83, DBG_IMPORTANT, "ERROR: " << squidCtx << ' ' << errAction <<
+ ": " << ERR_error_string(errCode, nullptr));
+#else
+ debugs(83, DBG_IMPORTANT, "ERROR: " << squidCtx << ' ' << errAction);
+#endif
+ return false;
+}
+
+bool
+Security::CreateClientSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx)
+{
+ return CreateSession(ctx, c, Security::Io::BIO_TO_SERVER, squidCtx);
+}
+
+bool
+Security::CreateServerSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx)
+{
+ return CreateSession(ctx, c, Security::Io::BIO_TO_CLIENT, squidCtx);
+}
+
bool
Security::SessionIsResumed(const Security::SessionPointer &s)
{
#define SQUID_SRC_SECURITY_SESSION_H
#include "base/HardFun.h"
+#include "comm/forward.h"
#include "security/LockingPointer.h"
#include <memory>
namespace Security {
+/// Creates TLS Client connection structure (aka 'session' state) and initializes TLS/SSL I/O (Comm and BIO).
+/// On errors, emits DBG_IMPORTANT with details and returns false.
+bool CreateClientSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx);
+
+/// Creates TLS Server connection structure (aka 'session' state) and initializes TLS/SSL I/O (Comm and BIO).
+/// On errors, emits DBG_IMPORTANT with details and returns false.
+bool CreateServerSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx);
+
#if USE_OPENSSL
CtoCpp1(SSL_free, SSL *);
typedef LockingPointer<SSL, Security::SSL_free_cpp, CRYPTO_LOCK_SSL> SessionPointer;
/// \note using std::unordered_set ensures values are unique, with fast lookup
typedef std::unordered_set<Security::ErrorCode> Errors;
+namespace Io
+{
+ enum Type {
+ BIO_TO_CLIENT = 6000,
+ BIO_TO_SERVER
+ };
+
+} // namespace Io
+
class KeyData;
class PeerConnector;
class PeerOptions;
};
BIO *
-Ssl::Bio::Create(const int fd, Ssl::Bio::Type type)
+Ssl::Bio::Create(const int fd, Security::Io::Type type)
{
if (BIO *bio = BIO_new(&SquidMethods)) {
BIO_int_ctrl(bio, BIO_C_SET_FD, type, fd);
assert(arg2);
const int fd = *static_cast<int*>(arg2);
Ssl::Bio *bio;
- if (arg1 == Ssl::Bio::BIO_TO_SERVER)
+ if (arg1 == Security::Io::BIO_TO_SERVER)
bio = new Ssl::ServerBio(fd);
else
bio = new Ssl::ClientBio(fd);
#ifndef SQUID_SSL_BIO_H
#define SQUID_SSL_BIO_H
+#if USE_OPENSSL
+
#include "fd.h"
#include "security/Handshake.h"
class Bio
{
public:
- enum Type {
- BIO_TO_CLIENT = 6000,
- BIO_TO_SERVER
- };
-
explicit Bio(const int anFd);
virtual ~Bio();
/// Creates a low-level BIO table, creates a high-level Ssl::Bio object
/// for a given socket, and then links the two together via BIO_C_SET_FD.
- static BIO *Create(const int fd, Type type);
+ static BIO *Create(const int fd, Security::Io::Type type);
/// Tells ssl connection to use BIO and monitor state via stateChanged()
static void Link(SSL *ssl, BIO *bio);
void
applyTlsDetailsToSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, Ssl::BumpMode bumpMode);
+#endif /* USE_OPENSSL */
#endif /* SQUID_SSL_BIO_H */
return Ssl::generateSslCertificate(untrustedCert, untrustedPkey, certProperties);
}
-static bool
-SslCreate(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &conn, Ssl::Bio::Type type, const char *squidCtx)
-{
- if (!Comm::IsConnOpen(conn)) {
- debugs(83, DBG_IMPORTANT, "Gone connection");
- return false;
- }
-
- const char *errAction = NULL;
- int errCode = 0;
- if (auto ssl = SSL_new(ctx.get())) {
- const int fd = conn->fd;
- // without BIO, we would call SSL_set_fd(ssl, fd) instead
- if (BIO *bio = Ssl::Bio::Create(fd, type)) {
- Ssl::Bio::Link(ssl, bio); // cannot fail
-
- fd_table[fd].ssl.resetWithoutLocking(ssl);
- fd_table[fd].read_method = &ssl_read_method;
- fd_table[fd].write_method = &ssl_write_method;
- fd_note(fd, squidCtx);
- return true;
- }
- errCode = ERR_get_error();
- errAction = "failed to initialize I/O";
- SSL_free(ssl);
- } else {
- errCode = ERR_get_error();
- errAction = "failed to allocate handle";
- }
-
- debugs(83, DBG_IMPORTANT, "ERROR: " << squidCtx << ' ' << errAction <<
- ": " << ERR_error_string(errCode, NULL));
- return false;
-}
-
-bool
-Ssl::CreateClient(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx)
-{
- return SslCreate(ctx, c, Ssl::Bio::BIO_TO_SERVER, squidCtx);
-}
-
-bool
-Ssl::CreateServer(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx)
-{
- return SslCreate(ctx, c, Ssl::Bio::BIO_TO_CLIENT, squidCtx);
-}
-
static int
store_session_cb(SSL *ssl, SSL_SESSION *session)
{
class CertValidationResponse;
typedef RefCount<CertValidationResponse> CertValidationResponsePointer;
-/// Creates SSL Client connection structure and initializes SSL I/O (Comm and BIO).
-/// On errors, emits DBG_IMPORTANT with details and returns false.
-bool CreateClient(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx);
-
-/// Creates SSL Server connection structure and initializes SSL I/O (Comm and BIO).
-/// On errors, emits DBG_IMPORTANT with details and returns false.
-bool CreateServer(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx);
-
void SetSessionCallbacks(Security::ContextPointer &);
extern Ipc::MemMap *SessionCache;
extern const char *SessionCacheName;
#include "security/Session.h"
namespace Security {
+bool CreateClientSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *) STUB_RETVAL(false)
+bool CreateServerSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *) STUB_RETVAL(false)
bool SessionIsResumed(const Security::SessionPointer &) STUB_RETVAL(false)
void MaybeGetSessionResumeData(const Security::SessionPointer &, Security::SessionStatePointer &) STUB
void SetSessionResumeData(const Security::SessionPointer &, const Security::SessionStatePointer &) STUB
projects / thirdparty / squid.git / commitdiff
