From: Amos Jeffries Date: Wed, 27 Jul 2016 11:06:57 +0000 (+1200) Subject: Cleanup: Move PeerConnector and BlindPeerConnector to libsecurity X-Git-Tag: SQUID_4_0_13~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a72b6e88897db5decbac88b3b95336343333fbef;p=thirdparty%2Fsquid.git Cleanup: Move PeerConnector and BlindPeerConnector to libsecurity Just namespace renaming and redux of USE_OPENSSL wrapped code sections. --- diff --git a/src/FwdState.cc b/src/FwdState.cc index fa0b3ffae4..3390a23650 100644 --- a/src/FwdState.cc +++ b/src/FwdState.cc @@ -45,9 +45,9 @@ #include "pconn.h" #include "PeerPoolMgr.h" #include "PeerSelectState.h" +#include "security/BlindPeerConnector.h" #include "SquidConfig.h" #include "SquidTime.h" -#include "ssl/BlindPeerConnector.h" #include "ssl/PeekingPeerConnector.h" #include "Store.h" #include "StoreClient.h" @@ -78,8 +78,7 @@ static int FwdReplyCodes[MAX_FWD_STATS_IDX + 1][Http::scInvalidHeader + 1]; static PconnPool *fwdPconnPool = new PconnPool("server-peers", NULL); CBDATA_CLASS_INIT(FwdState); -#if USE_OPENSSL -class FwdStatePeerAnswerDialer: public CallDialer, public Ssl::PeerConnector::CbDialer +class FwdStatePeerAnswerDialer: public CallDialer, public Security::PeerConnector::CbDialer { public: typedef void (FwdState::*Method)(Security::EncryptorAnswer &); @@ -94,7 +93,7 @@ public: os << '(' << fwd_.get() << ", " << answer_ << ')'; } - /* Ssl::PeerConnector::CbDialer API */ + /* Security::PeerConnector::CbDialer API */ virtual Security::EncryptorAnswer &answer() { return answer_; } private: @@ -102,7 +101,6 @@ private: CbcPointer fwd_; Security::EncryptorAnswer answer_; }; -#endif void FwdState::abort(void* d) @@ -684,7 +682,6 @@ FwdState::connectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, in closeHandler = comm_add_close_handler(serverConnection()->fd, fwdServerClosedWrapper, this); -#if USE_OPENSSL if (!request->flags.pinned) { const CachePeer *p = serverConnection()->getPeer(); const bool peerWantsTls = p && p->secure.encryptTransport; @@ -700,16 +697,17 @@ FwdState::connectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, in FwdStatePeerAnswerDialer(&FwdState::connectedToPeer, this)); // Use positive timeout when less than one second is left. const time_t sslNegotiationTimeout = max(static_cast(1), timeLeft()); - Ssl::PeerConnector *connector = NULL; + Security::PeerConnector *connector = nullptr; +#if USE_OPENSSL if (request->flags.sslPeek) connector = new Ssl::PeekingPeerConnector(requestPointer, serverConnection(), clientConn, callback, al, sslNegotiationTimeout); else - connector = new Ssl::BlindPeerConnector(requestPointer, serverConnection(), callback, al, sslNegotiationTimeout); +#endif + connector = new Security::BlindPeerConnector(requestPointer, serverConnection(), callback, al, sslNegotiationTimeout); AsyncJob::Start(connector); // will call our callback return; } } -#endif // if not encrypting just run the post-connect actions Security::EncryptorAnswer nil; @@ -997,12 +995,10 @@ FwdState::dispatch() request->flags.auth_no_keytab = 0; switch (request->url.getScheme()) { -#if USE_OPENSSL case AnyP::PROTO_HTTPS: httpStart(this); break; -#endif case AnyP::PROTO_HTTP: httpStart(this); diff --git a/src/PeerPoolMgr.cc b/src/PeerPoolMgr.cc index 1c6875424a..1733e16f70 100644 --- a/src/PeerPoolMgr.cc +++ b/src/PeerPoolMgr.cc @@ -7,6 +7,7 @@ */ #include "squid.h" +#include "AccessLogEntry.h" #include "base/AsyncJobCalls.h" #include "base/RunnersRegistry.h" #include "CachePeer.h" @@ -20,25 +21,23 @@ #include "neighbors.h" #include "pconn.h" #include "PeerPoolMgr.h" +#include "security/BlindPeerConnector.h" #include "SquidConfig.h" #include "SquidTime.h" -#include "ssl/BlindPeerConnector.h" CBDATA_CLASS_INIT(PeerPoolMgr); -#if USE_OPENSSL -/// Gives Ssl::PeerConnector access to Answer in the PeerPoolMgr callback dialer. +/// Gives Security::PeerConnector access to Answer in the PeerPoolMgr callback dialer. class MyAnswerDialer: public UnaryMemFunT, - public Ssl::PeerConnector::CbDialer + public Security::PeerConnector::CbDialer { public: MyAnswerDialer(const JobPointer &aJob, Method aMethod): UnaryMemFunT(aJob, aMethod, Security::EncryptorAnswer()) {} - /* Ssl::PeerConnector::CbDialer API */ + /* Security::PeerConnector::CbDialer API */ virtual Security::EncryptorAnswer &answer() { return arg1; } }; -#endif PeerPoolMgr::PeerPoolMgr(CachePeer *aPeer): AsyncJob("PeerPoolMgr"), peer(cbdataReference(aPeer)), @@ -109,8 +108,7 @@ PeerPoolMgr::handleOpenedConnection(const CommConnectCbParams ¶ms) Must(params.conn != NULL); -#if USE_OPENSSL - // Handle SSL peers. + // Handle TLS peers. if (peer->secure.encryptTransport) { typedef CommCbMemFunT CloserDialer; closer = JobCallback(48, 3, CloserDialer, this, @@ -125,12 +123,10 @@ PeerPoolMgr::handleOpenedConnection(const CommConnectCbParams ¶ms) const int timeUsed = squid_curtime - params.conn->startTime(); // Use positive timeout when less than one second is left for conn. const int timeLeft = max(1, (peerTimeout - timeUsed)); - Ssl::BlindPeerConnector *connector = - new Ssl::BlindPeerConnector(request, params.conn, securer, NULL, timeLeft); + auto *connector = new Security::BlindPeerConnector(request, params.conn, securer, nullptr, timeLeft); AsyncJob::Start(connector); // will call our callback return; } -#endif pushNewConnection(params.conn); } diff --git a/src/PeerPoolMgr.h b/src/PeerPoolMgr.h index 5dfd0de6a4..92e4b91808 100644 --- a/src/PeerPoolMgr.h +++ b/src/PeerPoolMgr.h @@ -51,7 +51,7 @@ protected: /// Comm::ConnOpener calls this when done opening a connection for us void handleOpenedConnection(const CommConnectCbParams ¶ms); - /// Ssl::PeerConnector callback + /// Security::PeerConnector callback void handleSecuredPeer(Security::EncryptorAnswer &answer); /// called when the connection we are trying to secure is closed by a 3rd party diff --git a/src/adaptation/icap/Xaction.cc b/src/adaptation/icap/Xaction.cc index d91818065c..fca9f8507b 100644 --- a/src/adaptation/icap/Xaction.cc +++ b/src/adaptation/icap/Xaction.cc @@ -30,26 +30,26 @@ #include "icap_log.h" #include "ipcache.h" #include "pconn.h" +#include "security/PeerConnector.h" #include "SquidConfig.h" #include "SquidTime.h" -#if USE_OPENSSL -/// Gives Ssl::PeerConnector access to Answer in the PeerPoolMgr callback dialer. +/// Gives Security::PeerConnector access to Answer in the PeerPoolMgr callback dialer. class MyIcapAnswerDialer: public UnaryMemFunT, - public Ssl::PeerConnector::CbDialer + public Security::PeerConnector::CbDialer { public: MyIcapAnswerDialer(const JobPointer &aJob, Method aMethod): UnaryMemFunT(aJob, aMethod, Security::EncryptorAnswer()) {} - /* Ssl::PeerConnector::CbDialer API */ + /* Security::PeerConnector::CbDialer API */ virtual Security::EncryptorAnswer &answer() { return arg1; } }; namespace Ssl { /// A simple PeerConnector for Secure ICAP services. No SslBump capabilities. -class IcapPeerConnector: public PeerConnector { +class IcapPeerConnector: public Security::PeerConnector { CBDATA_CLASS(IcapPeerConnector); public: IcapPeerConnector( @@ -61,7 +61,7 @@ public: AsyncJob("Ssl::IcapPeerConnector"), PeerConnector(aServerConn, aCallback, alp, timeout), icapService(service) {} - /* PeerConnector API */ + /* Security::PeerConnector API */ virtual bool initializeTls(Security::SessionPointer &); virtual void noteNegotiationDone(ErrorState *error); virtual Security::ContextPtr getSslContext() {return icapService->sslContext;} @@ -72,7 +72,6 @@ private: } // namespace Ssl CBDATA_NAMESPACED_CLASS_INIT(Ssl, IcapPeerConnector); -#endif Adaptation::Icap::Xaction::Xaction(const char *aTypeName, Adaptation::Icap::ServiceRep::Pointer &aService): AsyncJob(aTypeName), @@ -302,7 +301,6 @@ void Adaptation::Icap::Xaction::noteCommConnected(const CommConnectCbParams &io) CloseDialer(this,&Adaptation::Icap::Xaction::noteCommClosed)); comm_add_close_handler(io.conn->fd, closer); -#if USE_OPENSSL // If it is a reused connection and the SSL object is build // we should not negotiate new SSL session const auto &ssl = fd_table[io.conn->fd].ssl; @@ -311,13 +309,10 @@ void Adaptation::Icap::Xaction::noteCommConnected(const CommConnectCbParams &io) securer = asyncCall(93, 4, "Adaptation::Icap::Xaction::handleSecuredPeer", MyIcapAnswerDialer(me, &Adaptation::Icap::Xaction::handleSecuredPeer)); - Ssl::PeerConnector::HttpRequestPointer tmpReq(NULL); - Ssl::IcapPeerConnector *sslConnector = - new Ssl::IcapPeerConnector(theService, io.conn, securer, masterLogEntry(), TheConfig.connect_timeout(service().cfg().bypass)); + auto *sslConnector = new Ssl::IcapPeerConnector(theService, io.conn, securer, masterLogEntry(), TheConfig.connect_timeout(service().cfg().bypass)); AsyncJob::Start(sslConnector); // will call our callback return; } -#endif // ?? fd_table[io.conn->fd].noteUse(icapPconnPool); service().noteConnectionUse(connection); @@ -709,13 +704,13 @@ bool Adaptation::Icap::Xaction::fillVirginHttpHeader(MemBuf &) const return false; } -#if USE_OPENSSL bool Ssl::IcapPeerConnector::initializeTls(Security::SessionPointer &serverSession) { - if (!Ssl::PeerConnector::initializeTls(serverSession)) + if (!Security::PeerConnector::initializeTls(serverSession)) return false; +#if USE_OPENSSL assert(!icapService->cfg().secure.sslDomain.isEmpty()); SBuf *host = new SBuf(icapService->cfg().secure.sslDomain); SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, host); @@ -728,6 +723,9 @@ Ssl::IcapPeerConnector::initializeTls(Security::SessionPointer &serverSession) SSL_set_session(serverSession.get(), icapService->sslSession); return true; +#else + return false; +#endif } void @@ -736,6 +734,7 @@ Ssl::IcapPeerConnector::noteNegotiationDone(ErrorState *error) if (error) return; +#if USE_OPENSSL const int fd = serverConnection()->fd; auto ssl = fd_table[fd].ssl.get(); assert(ssl); @@ -744,6 +743,7 @@ Ssl::IcapPeerConnector::noteNegotiationDone(ErrorState *error) SSL_SESSION_free(icapService->sslSession); icapService->sslSession = SSL_get1_session(ssl); } +#endif } void @@ -776,5 +776,4 @@ Adaptation::Icap::Xaction::handleSecuredPeer(Security::EncryptorAnswer &answer) handleCommConnected(); } -#endif diff --git a/src/adaptation/icap/Xaction.h b/src/adaptation/icap/Xaction.h index a562deb222..b91ffe3ee9 100644 --- a/src/adaptation/icap/Xaction.h +++ b/src/adaptation/icap/Xaction.h @@ -16,9 +16,7 @@ #include "HttpReply.h" #include "ipcache.h" #include "sbuf/SBuf.h" -#if USE_OPENSSL -#include "ssl/PeerConnector.h" -#endif +//#include "security/PeerConnector.h" class MemBuf; diff --git a/src/ssl/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc similarity index 85% rename from src/ssl/BlindPeerConnector.cc rename to src/security/BlindPeerConnector.cc index 1bc9f97629..6e5d16fb73 100644 --- a/src/ssl/BlindPeerConnector.cc +++ b/src/security/BlindPeerConnector.cc @@ -12,14 +12,14 @@ #include "fde.h" #include "HttpRequest.h" #include "neighbors.h" +#include "security/BlindPeerConnector.h" #include "security/NegotiationHistory.h" #include "SquidConfig.h" -#include "ssl/BlindPeerConnector.h" -CBDATA_NAMESPACED_CLASS_INIT(Ssl, BlindPeerConnector); +CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerConnector); Security::ContextPtr -Ssl::BlindPeerConnector::getSslContext() +Security::BlindPeerConnector::getSslContext() { if (const CachePeer *peer = serverConnection()->getPeer()) { assert(peer->secure.encryptTransport); @@ -30,9 +30,9 @@ Ssl::BlindPeerConnector::getSslContext() } bool -Ssl::BlindPeerConnector::initializeTls(Security::SessionPointer &serverSession) +Security::BlindPeerConnector::initializeTls(Security::SessionPointer &serverSession) { - if (!Ssl::PeerConnector::initializeTls(serverSession)) + if (!Security::PeerConnector::initializeTls(serverSession)) return false; if (const CachePeer *peer = serverConnection()->getPeer()) { @@ -41,6 +41,7 @@ Ssl::BlindPeerConnector::initializeTls(Security::SessionPointer &serverSession) // NP: domain may be a raw-IP but it is now always set assert(!peer->secure.sslDomain.isEmpty()); +#if USE_OPENSSL // const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor SBuf *host = new SBuf(peer->secure.sslDomain); SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, host); @@ -50,13 +51,13 @@ Ssl::BlindPeerConnector::initializeTls(Security::SessionPointer &serverSession) } else { SBuf *hostName = new SBuf(request->url.host()); SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, (void*)hostName); +#endif } - return true; } void -Ssl::BlindPeerConnector::noteNegotiationDone(ErrorState *error) +Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error) { if (error) { // XXX: forward.cc calls peerConnectSucceeded() after an OK TCP connect but @@ -69,6 +70,7 @@ Ssl::BlindPeerConnector::noteNegotiationDone(ErrorState *error) return; } +#if USE_OPENSSL const int fd = serverConnection()->fd; Security::SessionPtr ssl = fd_table[fd].ssl.get(); if (serverConnection()->getPeer() && !SSL_session_reused(ssl)) { @@ -77,5 +79,6 @@ Ssl::BlindPeerConnector::noteNegotiationDone(ErrorState *error) serverConnection()->getPeer()->sslSession = SSL_get1_session(ssl); } +#endif } diff --git a/src/ssl/BlindPeerConnector.h b/src/security/BlindPeerConnector.h similarity index 82% rename from src/ssl/BlindPeerConnector.h rename to src/security/BlindPeerConnector.h index 9284c7b783..fe529ea425 100644 --- a/src/ssl/BlindPeerConnector.h +++ b/src/security/BlindPeerConnector.h @@ -9,15 +9,13 @@ #ifndef SQUID_SRC_SSL_BLINDPEERCONNECTOR_H #define SQUID_SRC_SSL_BLINDPEERCONNECTOR_H -#include "ssl/PeerConnector.h" +#include "security/PeerConnector.h" -#if USE_OPENSSL - -namespace Ssl +namespace Security { /// A simple PeerConnector for SSL/TLS cache_peers. No SslBump capabilities. -class BlindPeerConnector: public PeerConnector { +class BlindPeerConnector: public Security::PeerConnector { CBDATA_CLASS(BlindPeerConnector); public: BlindPeerConnector(HttpRequestPointer &aRequest, @@ -25,13 +23,13 @@ public: AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, const time_t timeout = 0) : - AsyncJob("Ssl::BlindPeerConnector"), - PeerConnector(aServerConn, aCallback, alp, timeout) + AsyncJob("Security::BlindPeerConnector"), + Security::PeerConnector(aServerConn, aCallback, alp, timeout) { request = aRequest; } - /* PeerConnector API */ + /* Security::PeerConnector API */ /// Calls parent initializeTls(), configure the created TLS session object to /// try reuse TLS session and sets the hostname to use for certificates validation @@ -46,8 +44,7 @@ public: virtual void noteNegotiationDone(ErrorState *error); }; -} // namespace Ssl +} // namespace Security -#endif /* USE_OPENSSL */ #endif /* SQUID_SRC_SSL_BLINDPEERCONNECTOR_H */ diff --git a/src/security/Makefile.am b/src/security/Makefile.am index debbb0740f..ccc752235c 100644 --- a/src/security/Makefile.am +++ b/src/security/Makefile.am @@ -13,6 +13,8 @@ SUBDIRS= cert_generators cert_validators noinst_LTLIBRARIES = libsecurity.la libsecurity_la_SOURCES= \ + BlindPeerConnector.cc \ + BlindPeerConnector.h \ Context.h \ EncryptorAnswer.cc \ EncryptorAnswer.h \ @@ -23,6 +25,8 @@ libsecurity_la_SOURCES= \ LockingPointer.h \ NegotiationHistory.cc \ NegotiationHistory.h \ + PeerConnector.cc \ + PeerConnector.h \ PeerOptions.cc \ PeerOptions.h \ ServerOptions.cc \ diff --git a/src/ssl/PeerConnector.cc b/src/security/PeerConnector.cc similarity index 84% rename from src/ssl/PeerConnector.cc rename to src/security/PeerConnector.cc index 49bbaa90bf..75cedd72ba 100644 --- a/src/ssl/PeerConnector.cc +++ b/src/security/PeerConnector.cc @@ -15,17 +15,19 @@ #include "fde.h" #include "HttpRequest.h" #include "security/NegotiationHistory.h" +#include "security/PeerConnector.h" #include "SquidConfig.h" +#if USE_OPENSSL #include "ssl/bio.h" #include "ssl/cert_validate_message.h" #include "ssl/Config.h" #include "ssl/helper.h" -#include "ssl/PeerConnector.h" +#endif -CBDATA_NAMESPACED_CLASS_INIT(Ssl, PeerConnector); +CBDATA_NAMESPACED_CLASS_INIT(Security, PeerConnector); -Ssl::PeerConnector::PeerConnector(const Comm::ConnectionPointer &aServerConn, AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, const time_t timeout) : - AsyncJob("Ssl::PeerConnector"), +Security::PeerConnector::PeerConnector(const Comm::ConnectionPointer &aServerConn, AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, const time_t timeout) : + AsyncJob("Security::PeerConnector"), serverConn(aServerConn), al(alp), callback(aCallback), @@ -33,23 +35,24 @@ Ssl::PeerConnector::PeerConnector(const Comm::ConnectionPointer &aServerConn, As startTime(squid_curtime), useCertValidator_(true) { + debugs(83, 5, "Security::PeerConnector constructed, this=" << (void*)this); // if this throws, the caller's cb dialer is not our CbDialer Must(dynamic_cast(callback->getDialer())); } -Ssl::PeerConnector::~PeerConnector() +Security::PeerConnector::~PeerConnector() { - debugs(83, 5, "Peer connector " << this << " gone"); + debugs(83, 5, "Security::PeerConnector destructed, this=" << (void*)this); } -bool Ssl::PeerConnector::doneAll() const +bool Security::PeerConnector::doneAll() const { return (!callback || callback->canceled()) && AsyncJob::doneAll(); } /// Preps connection and SSL state. Calls negotiate(). void -Ssl::PeerConnector::start() +Security::PeerConnector::start() { AsyncJob::start(); @@ -59,38 +62,39 @@ Ssl::PeerConnector::start() } void -Ssl::PeerConnector::commCloseHandler(const CommCloseCbParams ¶ms) +Security::PeerConnector::commCloseHandler(const CommCloseCbParams ¶ms) { - debugs(83, 5, "FD " << params.fd << ", Ssl::PeerConnector=" << params.data); - connectionClosed("Ssl::PeerConnector::commCloseHandler"); + debugs(83, 5, "FD " << params.fd << ", Security::PeerConnector=" << params.data); + connectionClosed("Security::PeerConnector::commCloseHandler"); } void -Ssl::PeerConnector::connectionClosed(const char *reason) +Security::PeerConnector::connectionClosed(const char *reason) { mustStop(reason); callback = NULL; } bool -Ssl::PeerConnector::prepareSocket() +Security::PeerConnector::prepareSocket() { const int fd = serverConnection()->fd; if (!Comm::IsConnOpen(serverConn) || fd_table[serverConn->fd].closing()) { - connectionClosed("Ssl::PeerConnector::prepareSocket"); + connectionClosed("Security::PeerConnector::prepareSocket"); return false; } // watch for external connection closures - typedef CommCbMemFunT Dialer; - closeHandler = JobCallback(9, 5, Dialer, this, Ssl::PeerConnector::commCloseHandler); + typedef CommCbMemFunT Dialer; + closeHandler = JobCallback(9, 5, Dialer, this, Security::PeerConnector::commCloseHandler); comm_add_close_handler(fd, closeHandler); return true; } bool -Ssl::PeerConnector::initializeTls(Security::SessionPointer &serverSession) +Security::PeerConnector::initializeTls(Security::SessionPointer &serverSession) { +#if USE_OPENSSL Security::ContextPtr sslContext(getSslContext()); assert(sslContext); @@ -98,7 +102,6 @@ Ssl::PeerConnector::initializeTls(Security::SessionPointer &serverSession) ErrorState *anErr = new ErrorState(ERR_SOCKET_FAILURE, Http::scInternalServerError, request.getRaw()); anErr->xerrno = errno; debugs(83, DBG_IMPORTANT, "Error allocating SSL handle: " << ERR_error_string(ERR_get_error(), NULL)); - noteNegotiationDone(anErr); bail(anErr); return false; @@ -119,11 +122,15 @@ Ssl::PeerConnector::initializeTls(Security::SessionPointer &serverSession) SSL_set_ex_data(serverSession.get(), ssl_ex_index_cert_error_check, check); } } + return true; +#else + return false; +#endif } void -Ssl::PeerConnector::setReadTimeout() +Security::PeerConnector::setReadTimeout() { int timeToRead; if (negotiationTimeout) { @@ -137,8 +144,9 @@ Ssl::PeerConnector::setReadTimeout() } void -Ssl::PeerConnector::recordNegotiationDetails() +Security::PeerConnector::recordNegotiationDetails() { +#if USE_OPENSSL const int fd = serverConnection()->fd; Security::SessionPtr ssl = fd_table[fd].ssl.get(); @@ -149,17 +157,22 @@ Ssl::PeerConnector::recordNegotiationDetails() Ssl::ServerBio *bio = static_cast(b->ptr); if (const Security::TlsDetails::Pointer &details = bio->receivedHelloDetails()) serverConnection()->tlsNegotiations()->retrieveParsedInfo(details); +#endif } void -Ssl::PeerConnector::negotiateSsl() +Security::PeerConnector::negotiateSsl() { if (!Comm::IsConnOpen(serverConnection()) || fd_table[serverConnection()->fd].closing()) return; +#if USE_OPENSSL const int fd = serverConnection()->fd; Security::SessionPtr ssl = fd_table[fd].ssl.get(); const int result = SSL_connect(ssl); +#else + const int result = -1; +#endif if (result <= 0) { handleNegotiateError(result); return; // we might be gone by now @@ -174,8 +187,9 @@ Ssl::PeerConnector::negotiateSsl() } bool -Ssl::PeerConnector::sslFinalized() +Security::PeerConnector::sslFinalized() { +#if USE_OPENSSL if (Ssl::TheConfig.ssl_crt_validator && useCertValidator_) { const int fd = serverConnection()->fd; Security::SessionPtr ssl = fd_table[fd].ssl.get(); @@ -194,7 +208,7 @@ Ssl::PeerConnector::sslFinalized() validationRequest.errors = NULL; try { debugs(83, 5, "Sending SSL certificate for validation to ssl_crtvd."); - AsyncCall::Pointer call = asyncCall(83,5, "Ssl::PeerConnector::sslCrtvdHandleReply", Ssl::CertValidationHelper::CbDialer(this, &Ssl::PeerConnector::sslCrtvdHandleReply, nullptr)); + AsyncCall::Pointer call = asyncCall(83,5, "Security::PeerConnector::sslCrtvdHandleReply", Ssl::CertValidationHelper::CbDialer(this, &Security::PeerConnector::sslCrtvdHandleReply, nullptr)); Ssl::CertValidationHelper::GetInstance()->sslSubmit(validationRequest, call); return false; } catch (const std::exception &e) { @@ -211,13 +225,15 @@ Ssl::PeerConnector::sslFinalized() return true; } } +#endif noteNegotiationDone(NULL); return true; } +#if USE_OPENSSL void -Ssl::PeerConnector::sslCrtvdHandleReply(Ssl::CertValidationResponse::Pointer validationResponse) +Security::PeerConnector::sslCrtvdHandleReply(Ssl::CertValidationResponse::Pointer validationResponse) { Must(validationResponse != NULL); @@ -259,12 +275,14 @@ Ssl::PeerConnector::sslCrtvdHandleReply(Ssl::CertValidationResponse::Pointer val serverConn->close(); return; } +#endif +#if USE_OPENSSL /// Checks errors in the cert. validator response against sslproxy_cert_error. /// The first honored error, if any, is returned via errDetails parameter. /// The method returns all seen errors except SSL_ERROR_NONE as Ssl::CertErrors. Ssl::CertErrors * -Ssl::PeerConnector::sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &resp, Ssl::ErrorDetail *& errDetails) +Security::PeerConnector::sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &resp, Ssl::ErrorDetail *& errDetails) { Ssl::CertErrors *errs = NULL; @@ -316,19 +334,21 @@ Ssl::PeerConnector::sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &re return errs; } +#endif /// A wrapper for Comm::SetSelect() notifications. void -Ssl::PeerConnector::NegotiateSsl(int, void *data) +Security::PeerConnector::NegotiateSsl(int, void *data) { PeerConnector *pc = static_cast(data); // Use job calls to add done() checks and other job logic/protections. - CallJobHere(83, 7, pc, Ssl::PeerConnector, negotiateSsl); + CallJobHere(83, 7, pc, Security::PeerConnector, negotiateSsl); } void -Ssl::PeerConnector::handleNegotiateError(const int ret) +Security::PeerConnector::handleNegotiateError(const int ret) { +#if USE_OPENSSL const int fd = serverConnection()->fd; unsigned long ssl_lib_error = SSL_ERROR_NONE; Security::SessionPtr ssl = fd_table[fd].ssl.get(); @@ -356,10 +376,11 @@ Ssl::PeerConnector::handleNegotiateError(const int ret) // Log connection details, if any recordNegotiationDetails(); noteSslNegotiationError(ret, ssl_error, ssl_lib_error); +#endif } void -Ssl::PeerConnector::noteWantRead() +Security::PeerConnector::noteWantRead() { setReadTimeout(); const int fd = serverConnection()->fd; @@ -367,7 +388,7 @@ Ssl::PeerConnector::noteWantRead() } void -Ssl::PeerConnector::noteWantWrite() +Security::PeerConnector::noteWantWrite() { const int fd = serverConnection()->fd; Comm::SetSelect(fd, COMM_SELECT_WRITE, &NegotiateSsl, this, 0); @@ -375,9 +396,10 @@ Ssl::PeerConnector::noteWantWrite() } void -Ssl::PeerConnector::noteSslNegotiationError(const int ret, const int ssl_error, const int ssl_lib_error) +Security::PeerConnector::noteSslNegotiationError(const int ret, const int ssl_error, const int ssl_lib_error) { -#ifdef EPROTO +#if USE_OPENSSL // not used unless OpenSSL enabled. +#if defined(EPROTO) int sysErrNo = EPROTO; #else int sysErrNo = EACCES; @@ -418,10 +440,11 @@ Ssl::PeerConnector::noteSslNegotiationError(const int ret, const int ssl_error, noteNegotiationDone(anErr); bail(anErr); +#endif } void -Ssl::PeerConnector::bail(ErrorState *error) +Security::PeerConnector::bail(ErrorState *error) { Must(error); // or the recepient will not know there was a problem Must(callback != NULL); @@ -439,7 +462,7 @@ Ssl::PeerConnector::bail(ErrorState *error) } void -Ssl::PeerConnector::callBack() +Security::PeerConnector::callBack() { AsyncCall::Pointer cb = callback; // Do this now so that if we throw below, swanSong() assert that we _tried_ @@ -456,7 +479,7 @@ Ssl::PeerConnector::callBack() } void -Ssl::PeerConnector::swanSong() +Security::PeerConnector::swanSong() { // XXX: unregister fd-closure monitoring and CommSetSelect interest, if any AsyncJob::swanSong(); @@ -470,7 +493,7 @@ Ssl::PeerConnector::swanSong() } const char * -Ssl::PeerConnector::status() const +Security::PeerConnector::status() const { static MemBuf buf; buf.reset(); diff --git a/src/ssl/PeerConnector.h b/src/security/PeerConnector.h similarity index 99% rename from src/ssl/PeerConnector.h rename to src/security/PeerConnector.h index 35c99dc9d7..5d434398c8 100644 --- a/src/ssl/PeerConnector.h +++ b/src/security/PeerConnector.h @@ -15,22 +15,21 @@ #include "CommCalls.h" #include "security/EncryptorAnswer.h" #include "security/forward.h" +#if USE_OPENSSL #include "ssl/support.h" +#endif #include -#if USE_OPENSSL - class HttpRequest; class ErrorState; class AccessLogEntry; typedef RefCount AccessLogEntryPointer; -namespace Ssl +namespace Security { /** - \par * Connects Squid to SSL/TLS-capable peers or services. * Contains common code and interfaces of various specialized PeerConnectors, * including peer certificate validation code. @@ -169,11 +168,13 @@ private: PeerConnector(const PeerConnector &); // not implemented PeerConnector &operator =(const PeerConnector &); // not implemented +#if USE_OPENSSL /// Process response from cert validator helper void sslCrtvdHandleReply(Ssl::CertValidationResponsePointer); /// Check SSL errors returned from cert validator against sslproxy_cert_error access list Ssl::CertErrors *sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &, Ssl::ErrorDetail *&); +#endif /// A wrapper function for negotiateSsl for use with Comm::SetSelect static void NegotiateSsl(int fd, void *data); @@ -183,8 +184,7 @@ private: bool useCertValidator_; ///< whether the certificate validator should bypassed }; -} // namespace Ssl +} // namespace Security -#endif /* USE_OPENSSL */ #endif /* SQUID_SRC_SSL_PEERCONNECTOR_H */ diff --git a/src/security/forward.h b/src/security/forward.h index c903c6b64d..f0f2643b62 100644 --- a/src/security/forward.h +++ b/src/security/forward.h @@ -42,10 +42,6 @@ namespace Security { -class EncryptorAnswer; -class PeerOptions; -class ServerOptions; - #if USE_OPENSSL CtoCpp1(X509_free, X509 *) typedef Security::LockingPointer CertPointer; @@ -75,7 +71,11 @@ typedef Security::LockingPointer DhePointer; typedef void *DhePointer; #endif +class EncryptorAnswer; class KeyData; +class PeerConnector; +class PeerOptions; +class ServerOptions; } // namespace Security diff --git a/src/ssl/Makefile.am b/src/ssl/Makefile.am index 2c2060f2e2..72e5da055d 100644 --- a/src/ssl/Makefile.am +++ b/src/ssl/Makefile.am @@ -14,8 +14,6 @@ noinst_LTLIBRARIES = libsslsquid.la libsslutil.la libsslsquid_la_SOURCES = \ bio.cc \ bio.h \ - BlindPeerConnector.cc \ - BlindPeerConnector.h \ cert_validate_message.cc \ cert_validate_message.h \ context_storage.cc \ @@ -28,8 +26,6 @@ libsslsquid_la_SOURCES = \ ErrorDetailManager.h \ PeekingPeerConnector.cc \ PeekingPeerConnector.h \ - PeerConnector.cc \ - PeerConnector.h \ ProxyCerts.h \ ServerBump.cc \ ServerBump.h \ diff --git a/src/ssl/PeekingPeerConnector.cc b/src/ssl/PeekingPeerConnector.cc index cfe1902aab..05ed6f2ad8 100644 --- a/src/ssl/PeekingPeerConnector.cc +++ b/src/ssl/PeekingPeerConnector.cc @@ -97,7 +97,7 @@ Ssl::PeekingPeerConnector::checkForPeekAndSpliceMatched(const Ssl::BumpMode acti srvBio->holdWrite(false); srvBio->recordInput(false); debugs(83,5, "Retry the fwdNegotiateSSL on FD " << serverConn->fd); - Ssl::PeerConnector::noteWantWrite(); + Security::PeerConnector::noteWantWrite(); } else { splice = true; // Ssl Negotiation stops here. Last SSL checks for valid certificates @@ -136,7 +136,7 @@ Ssl::PeekingPeerConnector::getSslContext() bool Ssl::PeekingPeerConnector::initializeTls(Security::SessionPointer &serverSession) { - if (!Ssl::PeerConnector::initializeTls(serverSession)) + if (!Security::PeerConnector::initializeTls(serverSession)) return false; if (ConnStateData *csd = request->clientConnectionManager.valid()) { @@ -273,7 +273,7 @@ Ssl::PeekingPeerConnector::noteWantWrite() return; } - Ssl::PeerConnector::noteWantWrite(); + Security::PeerConnector::noteWantWrite(); } void @@ -318,7 +318,7 @@ Ssl::PeekingPeerConnector::noteSslNegotiationError(const int result, const int s } // else call parent noteNegotiationError to produce an error page - Ssl::PeerConnector::noteSslNegotiationError(result, ssl_error, ssl_lib_error); + Security::PeerConnector::noteSslNegotiationError(result, ssl_error, ssl_lib_error); } void diff --git a/src/ssl/PeekingPeerConnector.h b/src/ssl/PeekingPeerConnector.h index 5bacd0fb5c..d55af8968a 100644 --- a/src/ssl/PeekingPeerConnector.h +++ b/src/ssl/PeekingPeerConnector.h @@ -9,7 +9,7 @@ #ifndef SQUID_SRC_SSL_PEEKINGPEERCONNECTOR_H #define SQUID_SRC_SSL_PEEKINGPEERCONNECTOR_H -#include "ssl/PeerConnector.h" +#include "security/PeerConnector.h" #if USE_OPENSSL @@ -17,7 +17,7 @@ namespace Ssl { /// A PeerConnector for HTTP origin servers. Capable of SslBumping. -class PeekingPeerConnector: public PeerConnector { +class PeekingPeerConnector: public Security::PeerConnector { CBDATA_CLASS(PeekingPeerConnector); public: PeekingPeerConnector(HttpRequestPointer &aRequest, @@ -27,7 +27,7 @@ public: const AccessLogEntryPointer &alp, const time_t timeout = 0) : AsyncJob("Ssl::PeekingPeerConnector"), - PeerConnector(aServerConn, aCallback, alp, timeout), + Security::PeerConnector(aServerConn, aCallback, alp, timeout), clientConn(aClientConn), splice(false), resumingSession(false), @@ -36,7 +36,7 @@ public: request = aRequest; } - /* PeerConnector API */ + /* Security::PeerConnector API */ virtual bool initializeTls(Security::SessionPointer &); virtual Security::ContextPtr getSslContext(); virtual void noteWantWrite(); diff --git a/src/ssl/helper.h b/src/ssl/helper.h index bb2f3c4836..3c5e2a5ff0 100644 --- a/src/ssl/helper.h +++ b/src/ssl/helper.h @@ -9,9 +9,12 @@ #ifndef SQUID_SSL_HELPER_H #define SQUID_SSL_HELPER_H +#if USE_OPENSSL + #include "base/AsyncJobCalls.h" #include "base/LruMap.h" #include "helper/forward.h" +#include "security/forward.h" #include "ssl/cert_validate_message.h" #include "ssl/crtd_message.h" @@ -39,13 +42,12 @@ private: }; #endif -class PeerConnector; class CertValidationRequest; class CertValidationResponse; class CertValidationHelper { public: - typedef UnaryMemFunT CbDialer; + typedef UnaryMemFunT CbDialer; typedef void CVHCB(void *, Ssl::CertValidationResponse const &); static CertValidationHelper * GetInstance(); ///< Instance class. @@ -64,5 +66,7 @@ public: }; } //namespace Ssl + +#endif /* USE_OPENSSL */ #endif // SQUID_SSL_HELPER_H diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc index 1875e2aee2..58af63e650 100644 --- a/src/tests/stub_libsecurity.cc +++ b/src/tests/stub_libsecurity.cc @@ -7,7 +7,9 @@ */ #include "squid.h" +#include "AccessLogEntry.h" #include "comm/Connection.h" +#include "HttpRequest.h" #define STUB_API "security/libsecurity.la" #include "tests/STUB.h" @@ -48,3 +50,40 @@ const char *Security::NegotiationHistory::printTlsVersion(AnyP::ProtocolVersion Security::HandshakeParser::HandshakeParser() STUB bool Security::HandshakeParser::parseHello(const SBuf &) STUB_RETVAL(false) +#include "security/PeerConnector.h" +CBDATA_NAMESPACED_CLASS_INIT(Security, PeerConnector); +namespace Security +{ +PeerConnector::PeerConnector(const Comm::ConnectionPointer &, AsyncCall::Pointer &, const AccessLogEntryPointer &, const time_t) : + AsyncJob("Security::PeerConnector") {STUB} +PeerConnector::~PeerConnector() {STUB} +void PeerConnector::start() STUB +bool PeerConnector::doneAll() const STUB_RETVAL(true) +void PeerConnector::swanSong() STUB +const char *PeerConnector::status() const STUB_RETVAL("") +void PeerConnector::commCloseHandler(const CommCloseCbParams &) STUB +void PeerConnector::connectionClosed(const char *) STUB +bool PeerConnector::prepareSocket() STUB_RETVAL(false) +void PeerConnector::setReadTimeout() STUB +bool PeerConnector::initializeTls(Security::SessionPointer &) STUB_RETVAL(false) +void PeerConnector::negotiateSsl() STUB +bool PeerConnector::sslFinalized() STUB_RETVAL(false) +void PeerConnector::handleNegotiateError(const int) STUB +void PeerConnector::noteWantRead() STUB +void PeerConnector::noteWantWrite() STUB +void PeerConnector::noteSslNegotiationError(const int, const int, const int) STUB +// virtual Security::ContextPtr getSslContext() = 0; +void PeerConnector::bail(ErrorState *) STUB +void PeerConnector::callBack() STUB +void PeerConnector::recordNegotiationDetails() STUB +} + +#include "security/BlindPeerConnector.h" +CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerConnector); +namespace Security +{ +bool BlindPeerConnector::initializeTls(Security::SessionPointer &) STUB_RETVAL(false) +Security::ContextPtr BlindPeerConnector::getSslContext() STUB_RETVAL(nullptr) +void BlindPeerConnector::noteNegotiationDone(ErrorState *) STUB +} + diff --git a/src/tunnel.cc b/src/tunnel.cc index 2de70e7bc1..de62c732a0 100644 --- a/src/tunnel.cc +++ b/src/tunnel.cc @@ -34,9 +34,9 @@ #include "MemBuf.h" #include "PeerSelectState.h" #include "sbuf/SBuf.h" +#include "security/BlindPeerConnector.h" #include "SquidConfig.h" #include "SquidTime.h" -#include "ssl/BlindPeerConnector.h" #include "StatCounters.h" #if USE_OPENSSL #include "ssl/bio.h" @@ -174,9 +174,8 @@ public: void connectToPeer(); private: -#if USE_OPENSSL /// Gives PeerConnector access to Answer in the TunnelStateData callback dialer. - class MyAnswerDialer: public CallDialer, public Ssl::PeerConnector::CbDialer + class MyAnswerDialer: public CallDialer, public Security::PeerConnector::CbDialer { public: typedef void (TunnelStateData::*Method)(Security::EncryptorAnswer &); @@ -191,7 +190,7 @@ private: os << '(' << tunnel_.get() << ", " << answer_ << ')'; } - /* Ssl::PeerConnector::CbDialer API */ + /* Security::PeerConnector::CbDialer API */ virtual Security::EncryptorAnswer &answer() { return answer_; } private: @@ -199,7 +198,6 @@ private: CbcPointer tunnel_; Security::EncryptorAnswer answer_; }; -#endif /// callback handler after connection setup (including any encryption) void connectedToPeer(Security::EncryptorAnswer &answer); @@ -1109,19 +1107,16 @@ tunnelStart(ClientHttpRequest * http) void TunnelStateData::connectToPeer() { -#if USE_OPENSSL if (CachePeer *p = server.conn->getPeer()) { if (p->secure.encryptTransport) { AsyncCall::Pointer callback = asyncCall(5,4, "TunnelStateData::ConnectedToPeer", MyAnswerDialer(&TunnelStateData::connectedToPeer, this)); - Ssl::BlindPeerConnector *connector = - new Ssl::BlindPeerConnector(request, server.conn, callback, al); + auto *connector = new Security::BlindPeerConnector(request, server.conn, callback, al); AsyncJob::Start(connector); // will call our callback return; } } -#endif Security::EncryptorAnswer nil; connectedToPeer(nil);