src/security/BlindPeerConnector.cc

   1 /*
   2  * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 #include "squid.h"
  10 #include "CachePeer.h"
  11 #include "comm/Connection.h"
  12 #include "errorpage.h"
  13 #include "fde.h"
  14 #include "HttpRequest.h"
  15 #include "neighbors.h"
  16 #include "security/BlindPeerConnector.h"
  17 #include "security/NegotiationHistory.h"
  18 #include "SquidConfig.h"
  19
  20 CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerConnector);
  21
  22 Security::ContextPointer
  23 Security::BlindPeerConnector::getTlsContext()
  24 {
  25     if (const CachePeer *peer = serverConnection()->getPeer()) {
  26         assert(peer->secure.encryptTransport);
  27         return peer->sslContext;
  28     }
  29     return ::Config.ssl_client.sslContext;
  30 }
  31
  32 bool
  33 Security::BlindPeerConnector::initialize(Security::SessionPointer &serverSession)
  34 {
  35     if (!Security::PeerConnector::initialize(serverSession))
  36         return false;
  37
  38     if (const CachePeer *peer = serverConnection()->getPeer()) {
  39         assert(peer);
  40
  41         // NP: domain may be a raw-IP but it is now always set
  42         assert(!peer->secure.sslDomain.isEmpty());
  43
  44 #if USE_OPENSSL
  45         // const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor
  46         SBuf *host = new SBuf(peer->secure.sslDomain);
  47         SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, host);
  48
  49         Security::SetSessionResumeData(serverSession, peer->sslSession);
  50     } else {
  51         SBuf *hostName = new SBuf(request->url.host());
  52         SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, (void*)hostName);
  53 #endif
  54     }
  55     return true;
  56 }
  57
  58 void
  59 Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error)
  60 {
  61     if (error) {
  62         // XXX: forward.cc calls peerConnectSucceeded() after an OK TCP connect but
  63         // we call peerConnectFailed() if SSL failed afterwards. Is that OK?
  64         // It is not clear whether we should call peerConnectSucceeded/Failed()
  65         // based on TCP results, SSL results, or both. And the code is probably not
  66         // consistent in this aspect across tunnelling and forwarding modules.
  67         if (CachePeer *p = serverConnection()->getPeer())
  68             peerConnectFailed(p);
  69         return;
  70     }
  71
  72     if (auto *peer = serverConnection()->getPeer()) {
  73         const int fd = serverConnection()->fd;
  74         Security::MaybeGetSessionResumeData(fd_table[fd].ssl, peer->sslSession);
  75     }
  76 }
  77