Just namespace renaming and redux of USE_OPENSSL wrapped code sections.
#include "pconn.h"
#include "PeerPoolMgr.h"
#include "PeerSelectState.h"
+#include "security/BlindPeerConnector.h"
#include "SquidConfig.h"
#include "SquidTime.h"
-#include "ssl/BlindPeerConnector.h"
#include "ssl/PeekingPeerConnector.h"
#include "Store.h"
#include "StoreClient.h"
static PconnPool *fwdPconnPool = new PconnPool("server-peers", NULL);
CBDATA_CLASS_INIT(FwdState);
-#if USE_OPENSSL
-class FwdStatePeerAnswerDialer: public CallDialer, public Ssl::PeerConnector::CbDialer
+class FwdStatePeerAnswerDialer: public CallDialer, public Security::PeerConnector::CbDialer
{
public:
typedef void (FwdState::*Method)(Security::EncryptorAnswer &);
os << '(' << fwd_.get() << ", " << answer_ << ')';
}
- /* Ssl::PeerConnector::CbDialer API */
+ /* Security::PeerConnector::CbDialer API */
virtual Security::EncryptorAnswer &answer() { return answer_; }
private:
CbcPointer<FwdState> fwd_;
Security::EncryptorAnswer answer_;
};
-#endif
void
FwdState::abort(void* d)
closeHandler = comm_add_close_handler(serverConnection()->fd, fwdServerClosedWrapper, this);
-#if USE_OPENSSL
if (!request->flags.pinned) {
const CachePeer *p = serverConnection()->getPeer();
const bool peerWantsTls = p && p->secure.encryptTransport;
FwdStatePeerAnswerDialer(&FwdState::connectedToPeer, this));
// Use positive timeout when less than one second is left.
const time_t sslNegotiationTimeout = max(static_cast<time_t>(1), timeLeft());
- Ssl::PeerConnector *connector = NULL;
+ Security::PeerConnector *connector = nullptr;
+#if USE_OPENSSL
if (request->flags.sslPeek)
connector = new Ssl::PeekingPeerConnector(requestPointer, serverConnection(), clientConn, callback, al, sslNegotiationTimeout);
else
- connector = new Ssl::BlindPeerConnector(requestPointer, serverConnection(), callback, al, sslNegotiationTimeout);
+#endif
+ connector = new Security::BlindPeerConnector(requestPointer, serverConnection(), callback, al, sslNegotiationTimeout);
AsyncJob::Start(connector); // will call our callback
return;
}
}
-#endif
// if not encrypting just run the post-connect actions
Security::EncryptorAnswer nil;
request->flags.auth_no_keytab = 0;
switch (request->url.getScheme()) {
-#if USE_OPENSSL
case AnyP::PROTO_HTTPS:
httpStart(this);
break;
-#endif
case AnyP::PROTO_HTTP:
httpStart(this);
*/
#include "squid.h"
+#include "AccessLogEntry.h"
#include "base/AsyncJobCalls.h"
#include "base/RunnersRegistry.h"
#include "CachePeer.h"
#include "neighbors.h"
#include "pconn.h"
#include "PeerPoolMgr.h"
+#include "security/BlindPeerConnector.h"
#include "SquidConfig.h"
#include "SquidTime.h"
-#include "ssl/BlindPeerConnector.h"
CBDATA_CLASS_INIT(PeerPoolMgr);
-#if USE_OPENSSL
-/// Gives Ssl::PeerConnector access to Answer in the PeerPoolMgr callback dialer.
+/// Gives Security::PeerConnector access to Answer in the PeerPoolMgr callback dialer.
class MyAnswerDialer: public UnaryMemFunT<PeerPoolMgr, Security::EncryptorAnswer, Security::EncryptorAnswer&>,
- public Ssl::PeerConnector::CbDialer
+ public Security::PeerConnector::CbDialer
{
public:
MyAnswerDialer(const JobPointer &aJob, Method aMethod):
UnaryMemFunT<PeerPoolMgr, Security::EncryptorAnswer, Security::EncryptorAnswer&>(aJob, aMethod, Security::EncryptorAnswer()) {}
- /* Ssl::PeerConnector::CbDialer API */
+ /* Security::PeerConnector::CbDialer API */
virtual Security::EncryptorAnswer &answer() { return arg1; }
};
-#endif
PeerPoolMgr::PeerPoolMgr(CachePeer *aPeer): AsyncJob("PeerPoolMgr"),
peer(cbdataReference(aPeer)),
Must(params.conn != NULL);
-#if USE_OPENSSL
- // Handle SSL peers.
+ // Handle TLS peers.
if (peer->secure.encryptTransport) {
typedef CommCbMemFunT<PeerPoolMgr, CommCloseCbParams> CloserDialer;
closer = JobCallback(48, 3, CloserDialer, this,
const int timeUsed = squid_curtime - params.conn->startTime();
// Use positive timeout when less than one second is left for conn.
const int timeLeft = max(1, (peerTimeout - timeUsed));
- Ssl::BlindPeerConnector *connector =
- new Ssl::BlindPeerConnector(request, params.conn, securer, NULL, timeLeft);
+ auto *connector = new Security::BlindPeerConnector(request, params.conn, securer, nullptr, timeLeft);
AsyncJob::Start(connector); // will call our callback
return;
}
-#endif
pushNewConnection(params.conn);
}
/// Comm::ConnOpener calls this when done opening a connection for us
void handleOpenedConnection(const CommConnectCbParams ¶ms);
- /// Ssl::PeerConnector callback
+ /// Security::PeerConnector callback
void handleSecuredPeer(Security::EncryptorAnswer &answer);
/// called when the connection we are trying to secure is closed by a 3rd party
#include "icap_log.h"
#include "ipcache.h"
#include "pconn.h"
+#include "security/PeerConnector.h"
#include "SquidConfig.h"
#include "SquidTime.h"
-#if USE_OPENSSL
-/// Gives Ssl::PeerConnector access to Answer in the PeerPoolMgr callback dialer.
+/// Gives Security::PeerConnector access to Answer in the PeerPoolMgr callback dialer.
class MyIcapAnswerDialer: public UnaryMemFunT<Adaptation::Icap::Xaction, Security::EncryptorAnswer, Security::EncryptorAnswer&>,
- public Ssl::PeerConnector::CbDialer
+ public Security::PeerConnector::CbDialer
{
public:
MyIcapAnswerDialer(const JobPointer &aJob, Method aMethod):
UnaryMemFunT<Adaptation::Icap::Xaction, Security::EncryptorAnswer, Security::EncryptorAnswer&>(aJob, aMethod, Security::EncryptorAnswer()) {}
- /* Ssl::PeerConnector::CbDialer API */
+ /* Security::PeerConnector::CbDialer API */
virtual Security::EncryptorAnswer &answer() { return arg1; }
};
namespace Ssl
{
/// A simple PeerConnector for Secure ICAP services. No SslBump capabilities.
-class IcapPeerConnector: public PeerConnector {
+class IcapPeerConnector: public Security::PeerConnector {
CBDATA_CLASS(IcapPeerConnector);
public:
IcapPeerConnector(
AsyncJob("Ssl::IcapPeerConnector"),
PeerConnector(aServerConn, aCallback, alp, timeout), icapService(service) {}
- /* PeerConnector API */
+ /* Security::PeerConnector API */
virtual bool initializeTls(Security::SessionPointer &);
virtual void noteNegotiationDone(ErrorState *error);
virtual Security::ContextPtr getSslContext() {return icapService->sslContext;}
} // namespace Ssl
CBDATA_NAMESPACED_CLASS_INIT(Ssl, IcapPeerConnector);
-#endif
Adaptation::Icap::Xaction::Xaction(const char *aTypeName, Adaptation::Icap::ServiceRep::Pointer &aService):
AsyncJob(aTypeName),
CloseDialer(this,&Adaptation::Icap::Xaction::noteCommClosed));
comm_add_close_handler(io.conn->fd, closer);
-#if USE_OPENSSL
// If it is a reused connection and the SSL object is build
// we should not negotiate new SSL session
const auto &ssl = fd_table[io.conn->fd].ssl;
securer = asyncCall(93, 4, "Adaptation::Icap::Xaction::handleSecuredPeer",
MyIcapAnswerDialer(me, &Adaptation::Icap::Xaction::handleSecuredPeer));
- Ssl::PeerConnector::HttpRequestPointer tmpReq(NULL);
- Ssl::IcapPeerConnector *sslConnector =
- new Ssl::IcapPeerConnector(theService, io.conn, securer, masterLogEntry(), TheConfig.connect_timeout(service().cfg().bypass));
+ auto *sslConnector = new Ssl::IcapPeerConnector(theService, io.conn, securer, masterLogEntry(), TheConfig.connect_timeout(service().cfg().bypass));
AsyncJob::Start(sslConnector); // will call our callback
return;
}
-#endif
// ?? fd_table[io.conn->fd].noteUse(icapPconnPool);
service().noteConnectionUse(connection);
return false;
}
-#if USE_OPENSSL
bool
Ssl::IcapPeerConnector::initializeTls(Security::SessionPointer &serverSession)
{
- if (!Ssl::PeerConnector::initializeTls(serverSession))
+ if (!Security::PeerConnector::initializeTls(serverSession))
return false;
+#if USE_OPENSSL
assert(!icapService->cfg().secure.sslDomain.isEmpty());
SBuf *host = new SBuf(icapService->cfg().secure.sslDomain);
SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, host);
SSL_set_session(serverSession.get(), icapService->sslSession);
return true;
+#else
+ return false;
+#endif
}
void
if (error)
return;
+#if USE_OPENSSL
const int fd = serverConnection()->fd;
auto ssl = fd_table[fd].ssl.get();
assert(ssl);
SSL_SESSION_free(icapService->sslSession);
icapService->sslSession = SSL_get1_session(ssl);
}
+#endif
}
void
handleCommConnected();
}
-#endif
#include "HttpReply.h"
#include "ipcache.h"
#include "sbuf/SBuf.h"
-#if USE_OPENSSL
-#include "ssl/PeerConnector.h"
-#endif
+//#include "security/PeerConnector.h"
class MemBuf;
#include "fde.h"
#include "HttpRequest.h"
#include "neighbors.h"
+#include "security/BlindPeerConnector.h"
#include "security/NegotiationHistory.h"
#include "SquidConfig.h"
-#include "ssl/BlindPeerConnector.h"
-CBDATA_NAMESPACED_CLASS_INIT(Ssl, BlindPeerConnector);
+CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerConnector);
Security::ContextPtr
-Ssl::BlindPeerConnector::getSslContext()
+Security::BlindPeerConnector::getSslContext()
{
if (const CachePeer *peer = serverConnection()->getPeer()) {
assert(peer->secure.encryptTransport);
}
bool
-Ssl::BlindPeerConnector::initializeTls(Security::SessionPointer &serverSession)
+Security::BlindPeerConnector::initializeTls(Security::SessionPointer &serverSession)
{
- if (!Ssl::PeerConnector::initializeTls(serverSession))
+ if (!Security::PeerConnector::initializeTls(serverSession))
return false;
if (const CachePeer *peer = serverConnection()->getPeer()) {
// NP: domain may be a raw-IP but it is now always set
assert(!peer->secure.sslDomain.isEmpty());
+#if USE_OPENSSL
// const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor
SBuf *host = new SBuf(peer->secure.sslDomain);
SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, host);
} else {
SBuf *hostName = new SBuf(request->url.host());
SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, (void*)hostName);
+#endif
}
-
return true;
}
void
-Ssl::BlindPeerConnector::noteNegotiationDone(ErrorState *error)
+Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error)
{
if (error) {
// XXX: forward.cc calls peerConnectSucceeded() after an OK TCP connect but
return;
}
+#if USE_OPENSSL
const int fd = serverConnection()->fd;
Security::SessionPtr ssl = fd_table[fd].ssl.get();
if (serverConnection()->getPeer() && !SSL_session_reused(ssl)) {
serverConnection()->getPeer()->sslSession = SSL_get1_session(ssl);
}
+#endif
}
#ifndef SQUID_SRC_SSL_BLINDPEERCONNECTOR_H
#define SQUID_SRC_SSL_BLINDPEERCONNECTOR_H
-#include "ssl/PeerConnector.h"
+#include "security/PeerConnector.h"
-#if USE_OPENSSL
-
-namespace Ssl
+namespace Security
{
/// A simple PeerConnector for SSL/TLS cache_peers. No SslBump capabilities.
-class BlindPeerConnector: public PeerConnector {
+class BlindPeerConnector: public Security::PeerConnector {
CBDATA_CLASS(BlindPeerConnector);
public:
BlindPeerConnector(HttpRequestPointer &aRequest,
AsyncCall::Pointer &aCallback,
const AccessLogEntryPointer &alp,
const time_t timeout = 0) :
- AsyncJob("Ssl::BlindPeerConnector"),
- PeerConnector(aServerConn, aCallback, alp, timeout)
+ AsyncJob("Security::BlindPeerConnector"),
+ Security::PeerConnector(aServerConn, aCallback, alp, timeout)
{
request = aRequest;
}
- /* PeerConnector API */
+ /* Security::PeerConnector API */
/// Calls parent initializeTls(), configure the created TLS session object to
/// try reuse TLS session and sets the hostname to use for certificates validation
virtual void noteNegotiationDone(ErrorState *error);
};
-} // namespace Ssl
+} // namespace Security
-#endif /* USE_OPENSSL */
#endif /* SQUID_SRC_SSL_BLINDPEERCONNECTOR_H */
noinst_LTLIBRARIES = libsecurity.la
libsecurity_la_SOURCES= \
+ BlindPeerConnector.cc \
+ BlindPeerConnector.h \
Context.h \
EncryptorAnswer.cc \
EncryptorAnswer.h \
LockingPointer.h \
NegotiationHistory.cc \
NegotiationHistory.h \
+ PeerConnector.cc \
+ PeerConnector.h \
PeerOptions.cc \
PeerOptions.h \
ServerOptions.cc \
#include "fde.h"
#include "HttpRequest.h"
#include "security/NegotiationHistory.h"
+#include "security/PeerConnector.h"
#include "SquidConfig.h"
+#if USE_OPENSSL
#include "ssl/bio.h"
#include "ssl/cert_validate_message.h"
#include "ssl/Config.h"
#include "ssl/helper.h"
-#include "ssl/PeerConnector.h"
+#endif
-CBDATA_NAMESPACED_CLASS_INIT(Ssl, PeerConnector);
+CBDATA_NAMESPACED_CLASS_INIT(Security, PeerConnector);
-Ssl::PeerConnector::PeerConnector(const Comm::ConnectionPointer &aServerConn, AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, const time_t timeout) :
- AsyncJob("Ssl::PeerConnector"),
+Security::PeerConnector::PeerConnector(const Comm::ConnectionPointer &aServerConn, AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, const time_t timeout) :
+ AsyncJob("Security::PeerConnector"),
serverConn(aServerConn),
al(alp),
callback(aCallback),
startTime(squid_curtime),
useCertValidator_(true)
{
+ debugs(83, 5, "Security::PeerConnector constructed, this=" << (void*)this);
// if this throws, the caller's cb dialer is not our CbDialer
Must(dynamic_cast<CbDialer*>(callback->getDialer()));
}
-Ssl::PeerConnector::~PeerConnector()
+Security::PeerConnector::~PeerConnector()
{
- debugs(83, 5, "Peer connector " << this << " gone");
+ debugs(83, 5, "Security::PeerConnector destructed, this=" << (void*)this);
}
-bool Ssl::PeerConnector::doneAll() const
+bool Security::PeerConnector::doneAll() const
{
return (!callback || callback->canceled()) && AsyncJob::doneAll();
}
/// Preps connection and SSL state. Calls negotiate().
void
-Ssl::PeerConnector::start()
+Security::PeerConnector::start()
{
AsyncJob::start();
}
void
-Ssl::PeerConnector::commCloseHandler(const CommCloseCbParams ¶ms)
+Security::PeerConnector::commCloseHandler(const CommCloseCbParams ¶ms)
{
- debugs(83, 5, "FD " << params.fd << ", Ssl::PeerConnector=" << params.data);
- connectionClosed("Ssl::PeerConnector::commCloseHandler");
+ debugs(83, 5, "FD " << params.fd << ", Security::PeerConnector=" << params.data);
+ connectionClosed("Security::PeerConnector::commCloseHandler");
}
void
-Ssl::PeerConnector::connectionClosed(const char *reason)
+Security::PeerConnector::connectionClosed(const char *reason)
{
mustStop(reason);
callback = NULL;
}
bool
-Ssl::PeerConnector::prepareSocket()
+Security::PeerConnector::prepareSocket()
{
const int fd = serverConnection()->fd;
if (!Comm::IsConnOpen(serverConn) || fd_table[serverConn->fd].closing()) {
- connectionClosed("Ssl::PeerConnector::prepareSocket");
+ connectionClosed("Security::PeerConnector::prepareSocket");
return false;
}
// watch for external connection closures
- typedef CommCbMemFunT<Ssl::PeerConnector, CommCloseCbParams> Dialer;
- closeHandler = JobCallback(9, 5, Dialer, this, Ssl::PeerConnector::commCloseHandler);
+ typedef CommCbMemFunT<Security::PeerConnector, CommCloseCbParams> Dialer;
+ closeHandler = JobCallback(9, 5, Dialer, this, Security::PeerConnector::commCloseHandler);
comm_add_close_handler(fd, closeHandler);
return true;
}
bool
-Ssl::PeerConnector::initializeTls(Security::SessionPointer &serverSession)
+Security::PeerConnector::initializeTls(Security::SessionPointer &serverSession)
{
+#if USE_OPENSSL
Security::ContextPtr sslContext(getSslContext());
assert(sslContext);
ErrorState *anErr = new ErrorState(ERR_SOCKET_FAILURE, Http::scInternalServerError, request.getRaw());
anErr->xerrno = errno;
debugs(83, DBG_IMPORTANT, "Error allocating SSL handle: " << ERR_error_string(ERR_get_error(), NULL));
-
noteNegotiationDone(anErr);
bail(anErr);
return false;
SSL_set_ex_data(serverSession.get(), ssl_ex_index_cert_error_check, check);
}
}
+
return true;
+#else
+ return false;
+#endif
}
void
-Ssl::PeerConnector::setReadTimeout()
+Security::PeerConnector::setReadTimeout()
{
int timeToRead;
if (negotiationTimeout) {
}
void
-Ssl::PeerConnector::recordNegotiationDetails()
+Security::PeerConnector::recordNegotiationDetails()
{
+#if USE_OPENSSL
const int fd = serverConnection()->fd;
Security::SessionPtr ssl = fd_table[fd].ssl.get();
Ssl::ServerBio *bio = static_cast<Ssl::ServerBio *>(b->ptr);
if (const Security::TlsDetails::Pointer &details = bio->receivedHelloDetails())
serverConnection()->tlsNegotiations()->retrieveParsedInfo(details);
+#endif
}
void
-Ssl::PeerConnector::negotiateSsl()
+Security::PeerConnector::negotiateSsl()
{
if (!Comm::IsConnOpen(serverConnection()) || fd_table[serverConnection()->fd].closing())
return;
+#if USE_OPENSSL
const int fd = serverConnection()->fd;
Security::SessionPtr ssl = fd_table[fd].ssl.get();
const int result = SSL_connect(ssl);
+#else
+ const int result = -1;
+#endif
if (result <= 0) {
handleNegotiateError(result);
return; // we might be gone by now
}
bool
-Ssl::PeerConnector::sslFinalized()
+Security::PeerConnector::sslFinalized()
{
+#if USE_OPENSSL
if (Ssl::TheConfig.ssl_crt_validator && useCertValidator_) {
const int fd = serverConnection()->fd;
Security::SessionPtr ssl = fd_table[fd].ssl.get();
validationRequest.errors = NULL;
try {
debugs(83, 5, "Sending SSL certificate for validation to ssl_crtvd.");
- AsyncCall::Pointer call = asyncCall(83,5, "Ssl::PeerConnector::sslCrtvdHandleReply", Ssl::CertValidationHelper::CbDialer(this, &Ssl::PeerConnector::sslCrtvdHandleReply, nullptr));
+ AsyncCall::Pointer call = asyncCall(83,5, "Security::PeerConnector::sslCrtvdHandleReply", Ssl::CertValidationHelper::CbDialer(this, &Security::PeerConnector::sslCrtvdHandleReply, nullptr));
Ssl::CertValidationHelper::GetInstance()->sslSubmit(validationRequest, call);
return false;
} catch (const std::exception &e) {
return true;
}
}
+#endif
noteNegotiationDone(NULL);
return true;
}
+#if USE_OPENSSL
void
-Ssl::PeerConnector::sslCrtvdHandleReply(Ssl::CertValidationResponse::Pointer validationResponse)
+Security::PeerConnector::sslCrtvdHandleReply(Ssl::CertValidationResponse::Pointer validationResponse)
{
Must(validationResponse != NULL);
serverConn->close();
return;
}
+#endif
+#if USE_OPENSSL
/// Checks errors in the cert. validator response against sslproxy_cert_error.
/// The first honored error, if any, is returned via errDetails parameter.
/// The method returns all seen errors except SSL_ERROR_NONE as Ssl::CertErrors.
Ssl::CertErrors *
-Ssl::PeerConnector::sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &resp, Ssl::ErrorDetail *& errDetails)
+Security::PeerConnector::sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &resp, Ssl::ErrorDetail *& errDetails)
{
Ssl::CertErrors *errs = NULL;
return errs;
}
+#endif
/// A wrapper for Comm::SetSelect() notifications.
void
-Ssl::PeerConnector::NegotiateSsl(int, void *data)
+Security::PeerConnector::NegotiateSsl(int, void *data)
{
PeerConnector *pc = static_cast<PeerConnector*>(data);
// Use job calls to add done() checks and other job logic/protections.
- CallJobHere(83, 7, pc, Ssl::PeerConnector, negotiateSsl);
+ CallJobHere(83, 7, pc, Security::PeerConnector, negotiateSsl);
}
void
-Ssl::PeerConnector::handleNegotiateError(const int ret)
+Security::PeerConnector::handleNegotiateError(const int ret)
{
+#if USE_OPENSSL
const int fd = serverConnection()->fd;
unsigned long ssl_lib_error = SSL_ERROR_NONE;
Security::SessionPtr ssl = fd_table[fd].ssl.get();
// Log connection details, if any
recordNegotiationDetails();
noteSslNegotiationError(ret, ssl_error, ssl_lib_error);
+#endif
}
void
-Ssl::PeerConnector::noteWantRead()
+Security::PeerConnector::noteWantRead()
{
setReadTimeout();
const int fd = serverConnection()->fd;
}
void
-Ssl::PeerConnector::noteWantWrite()
+Security::PeerConnector::noteWantWrite()
{
const int fd = serverConnection()->fd;
Comm::SetSelect(fd, COMM_SELECT_WRITE, &NegotiateSsl, this, 0);
}
void
-Ssl::PeerConnector::noteSslNegotiationError(const int ret, const int ssl_error, const int ssl_lib_error)
+Security::PeerConnector::noteSslNegotiationError(const int ret, const int ssl_error, const int ssl_lib_error)
{
-#ifdef EPROTO
+#if USE_OPENSSL // not used unless OpenSSL enabled.
+#if defined(EPROTO)
int sysErrNo = EPROTO;
#else
int sysErrNo = EACCES;
noteNegotiationDone(anErr);
bail(anErr);
+#endif
}
void
-Ssl::PeerConnector::bail(ErrorState *error)
+Security::PeerConnector::bail(ErrorState *error)
{
Must(error); // or the recepient will not know there was a problem
Must(callback != NULL);
}
void
-Ssl::PeerConnector::callBack()
+Security::PeerConnector::callBack()
{
AsyncCall::Pointer cb = callback;
// Do this now so that if we throw below, swanSong() assert that we _tried_
}
void
-Ssl::PeerConnector::swanSong()
+Security::PeerConnector::swanSong()
{
// XXX: unregister fd-closure monitoring and CommSetSelect interest, if any
AsyncJob::swanSong();
}
const char *
-Ssl::PeerConnector::status() const
+Security::PeerConnector::status() const
{
static MemBuf buf;
buf.reset();
#include "CommCalls.h"
#include "security/EncryptorAnswer.h"
#include "security/forward.h"
+#if USE_OPENSSL
#include "ssl/support.h"
+#endif
#include <iosfwd>
-#if USE_OPENSSL
-
class HttpRequest;
class ErrorState;
class AccessLogEntry;
typedef RefCount<AccessLogEntry> AccessLogEntryPointer;
-namespace Ssl
+namespace Security
{
/**
- \par
* Connects Squid to SSL/TLS-capable peers or services.
* Contains common code and interfaces of various specialized PeerConnectors,
* including peer certificate validation code.
PeerConnector(const PeerConnector &); // not implemented
PeerConnector &operator =(const PeerConnector &); // not implemented
+#if USE_OPENSSL
/// Process response from cert validator helper
void sslCrtvdHandleReply(Ssl::CertValidationResponsePointer);
/// Check SSL errors returned from cert validator against sslproxy_cert_error access list
Ssl::CertErrors *sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &, Ssl::ErrorDetail *&);
+#endif
/// A wrapper function for negotiateSsl for use with Comm::SetSelect
static void NegotiateSsl(int fd, void *data);
bool useCertValidator_; ///< whether the certificate validator should bypassed
};
-} // namespace Ssl
+} // namespace Security
-#endif /* USE_OPENSSL */
#endif /* SQUID_SRC_SSL_PEERCONNECTOR_H */
namespace Security
{
-class EncryptorAnswer;
-class PeerOptions;
-class ServerOptions;
-
#if USE_OPENSSL
CtoCpp1(X509_free, X509 *)
typedef Security::LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> CertPointer;
typedef void *DhePointer;
#endif
+class EncryptorAnswer;
class KeyData;
+class PeerConnector;
+class PeerOptions;
+class ServerOptions;
} // namespace Security
libsslsquid_la_SOURCES = \
bio.cc \
bio.h \
- BlindPeerConnector.cc \
- BlindPeerConnector.h \
cert_validate_message.cc \
cert_validate_message.h \
context_storage.cc \
ErrorDetailManager.h \
PeekingPeerConnector.cc \
PeekingPeerConnector.h \
- PeerConnector.cc \
- PeerConnector.h \
ProxyCerts.h \
ServerBump.cc \
ServerBump.h \
srvBio->holdWrite(false);
srvBio->recordInput(false);
debugs(83,5, "Retry the fwdNegotiateSSL on FD " << serverConn->fd);
- Ssl::PeerConnector::noteWantWrite();
+ Security::PeerConnector::noteWantWrite();
} else {
splice = true;
// Ssl Negotiation stops here. Last SSL checks for valid certificates
bool
Ssl::PeekingPeerConnector::initializeTls(Security::SessionPointer &serverSession)
{
- if (!Ssl::PeerConnector::initializeTls(serverSession))
+ if (!Security::PeerConnector::initializeTls(serverSession))
return false;
if (ConnStateData *csd = request->clientConnectionManager.valid()) {
return;
}
- Ssl::PeerConnector::noteWantWrite();
+ Security::PeerConnector::noteWantWrite();
}
void
}
// else call parent noteNegotiationError to produce an error page
- Ssl::PeerConnector::noteSslNegotiationError(result, ssl_error, ssl_lib_error);
+ Security::PeerConnector::noteSslNegotiationError(result, ssl_error, ssl_lib_error);
}
void
#ifndef SQUID_SRC_SSL_PEEKINGPEERCONNECTOR_H
#define SQUID_SRC_SSL_PEEKINGPEERCONNECTOR_H
-#include "ssl/PeerConnector.h"
+#include "security/PeerConnector.h"
#if USE_OPENSSL
{
/// A PeerConnector for HTTP origin servers. Capable of SslBumping.
-class PeekingPeerConnector: public PeerConnector {
+class PeekingPeerConnector: public Security::PeerConnector {
CBDATA_CLASS(PeekingPeerConnector);
public:
PeekingPeerConnector(HttpRequestPointer &aRequest,
const AccessLogEntryPointer &alp,
const time_t timeout = 0) :
AsyncJob("Ssl::PeekingPeerConnector"),
- PeerConnector(aServerConn, aCallback, alp, timeout),
+ Security::PeerConnector(aServerConn, aCallback, alp, timeout),
clientConn(aClientConn),
splice(false),
resumingSession(false),
request = aRequest;
}
- /* PeerConnector API */
+ /* Security::PeerConnector API */
virtual bool initializeTls(Security::SessionPointer &);
virtual Security::ContextPtr getSslContext();
virtual void noteWantWrite();
#ifndef SQUID_SSL_HELPER_H
#define SQUID_SSL_HELPER_H
+#if USE_OPENSSL
+
#include "base/AsyncJobCalls.h"
#include "base/LruMap.h"
#include "helper/forward.h"
+#include "security/forward.h"
#include "ssl/cert_validate_message.h"
#include "ssl/crtd_message.h"
};
#endif
-class PeerConnector;
class CertValidationRequest;
class CertValidationResponse;
class CertValidationHelper
{
public:
- typedef UnaryMemFunT<Ssl::PeerConnector, CertValidationResponse::Pointer> CbDialer;
+ typedef UnaryMemFunT<Security::PeerConnector, CertValidationResponse::Pointer> CbDialer;
typedef void CVHCB(void *, Ssl::CertValidationResponse const &);
static CertValidationHelper * GetInstance(); ///< Instance class.
};
} //namespace Ssl
+
+#endif /* USE_OPENSSL */
#endif // SQUID_SSL_HELPER_H
*/
#include "squid.h"
+#include "AccessLogEntry.h"
#include "comm/Connection.h"
+#include "HttpRequest.h"
#define STUB_API "security/libsecurity.la"
#include "tests/STUB.h"
Security::HandshakeParser::HandshakeParser() STUB
bool Security::HandshakeParser::parseHello(const SBuf &) STUB_RETVAL(false)
+#include "security/PeerConnector.h"
+CBDATA_NAMESPACED_CLASS_INIT(Security, PeerConnector);
+namespace Security
+{
+PeerConnector::PeerConnector(const Comm::ConnectionPointer &, AsyncCall::Pointer &, const AccessLogEntryPointer &, const time_t) :
+ AsyncJob("Security::PeerConnector") {STUB}
+PeerConnector::~PeerConnector() {STUB}
+void PeerConnector::start() STUB
+bool PeerConnector::doneAll() const STUB_RETVAL(true)
+void PeerConnector::swanSong() STUB
+const char *PeerConnector::status() const STUB_RETVAL("")
+void PeerConnector::commCloseHandler(const CommCloseCbParams &) STUB
+void PeerConnector::connectionClosed(const char *) STUB
+bool PeerConnector::prepareSocket() STUB_RETVAL(false)
+void PeerConnector::setReadTimeout() STUB
+bool PeerConnector::initializeTls(Security::SessionPointer &) STUB_RETVAL(false)
+void PeerConnector::negotiateSsl() STUB
+bool PeerConnector::sslFinalized() STUB_RETVAL(false)
+void PeerConnector::handleNegotiateError(const int) STUB
+void PeerConnector::noteWantRead() STUB
+void PeerConnector::noteWantWrite() STUB
+void PeerConnector::noteSslNegotiationError(const int, const int, const int) STUB
+// virtual Security::ContextPtr getSslContext() = 0;
+void PeerConnector::bail(ErrorState *) STUB
+void PeerConnector::callBack() STUB
+void PeerConnector::recordNegotiationDetails() STUB
+}
+
+#include "security/BlindPeerConnector.h"
+CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerConnector);
+namespace Security
+{
+bool BlindPeerConnector::initializeTls(Security::SessionPointer &) STUB_RETVAL(false)
+Security::ContextPtr BlindPeerConnector::getSslContext() STUB_RETVAL(nullptr)
+void BlindPeerConnector::noteNegotiationDone(ErrorState *) STUB
+}
+
#include "MemBuf.h"
#include "PeerSelectState.h"
#include "sbuf/SBuf.h"
+#include "security/BlindPeerConnector.h"
#include "SquidConfig.h"
#include "SquidTime.h"
-#include "ssl/BlindPeerConnector.h"
#include "StatCounters.h"
#if USE_OPENSSL
#include "ssl/bio.h"
void connectToPeer();
private:
-#if USE_OPENSSL
/// Gives PeerConnector access to Answer in the TunnelStateData callback dialer.
- class MyAnswerDialer: public CallDialer, public Ssl::PeerConnector::CbDialer
+ class MyAnswerDialer: public CallDialer, public Security::PeerConnector::CbDialer
{
public:
typedef void (TunnelStateData::*Method)(Security::EncryptorAnswer &);
os << '(' << tunnel_.get() << ", " << answer_ << ')';
}
- /* Ssl::PeerConnector::CbDialer API */
+ /* Security::PeerConnector::CbDialer API */
virtual Security::EncryptorAnswer &answer() { return answer_; }
private:
CbcPointer<TunnelStateData> tunnel_;
Security::EncryptorAnswer answer_;
};
-#endif
/// callback handler after connection setup (including any encryption)
void connectedToPeer(Security::EncryptorAnswer &answer);
void
TunnelStateData::connectToPeer()
{
-#if USE_OPENSSL
if (CachePeer *p = server.conn->getPeer()) {
if (p->secure.encryptTransport) {
AsyncCall::Pointer callback = asyncCall(5,4,
"TunnelStateData::ConnectedToPeer",
MyAnswerDialer(&TunnelStateData::connectedToPeer, this));
- Ssl::BlindPeerConnector *connector =
- new Ssl::BlindPeerConnector(request, server.conn, callback, al);
+ auto *connector = new Security::BlindPeerConnector(request, server.conn, callback, al);
AsyncJob::Start(connector); // will call our callback
return;
}
}
-#endif
Security::EncryptorAnswer nil;
connectedToPeer(nil);
projects / thirdparty / squid.git / commitdiff
