From: Christos Tsantilas Date: Mon, 11 Aug 2014 16:46:52 +0000 (+0300) Subject: polish peek-and-splice X-Git-Tag: SQUID_3_5_0_1~89^2~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1110989afbb32d9cbe40175e61ebc8b04a662c90;p=thirdparty%2Fsquid.git polish peek-and-splice - Remove any references to "bumpErr" bumping mode. It is not implemented - Changes to allow make without openssl, "make dist" and "make distcheck" - Fix peek-and-splice documentation: The bumping modes are SslBump1, SslBump2 a nd SslBump3 - Other minor changes --- diff --git a/acinclude/lib-checks.m4 b/acinclude/lib-checks.m4 index 6e43151863..fcbc530157 100644 --- a/acinclude/lib-checks.m4 +++ b/acinclude/lib-checks.m4 @@ -278,9 +278,9 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_TXTDB],[ SQUID_STATE_ROLLBACK(check_TXTDB) ]) -dnl Check if we can rewrite the hello message stored in SSL openSSL object -dnl The tests are very basic, just check if the required SSL members exist -dnl in SSL structure. +dnl Check if we can rewrite the hello message stored in an SSL object. +dnl The tests are very basic, just check if the required members exist in +dnl SSL structure. AC_DEFUN([SQUID_CHECK_OPENSSL_HELLO_OVERWRITE_HACK],[ AH_TEMPLATE(SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK, "Define to 1 if hello message can be overwritten in SSL struct") SQUID_STATE_SAVE(check_openSSL_overwrite_hack) diff --git a/src/acl/AtBumpStep.cc b/src/acl/AtBumpStep.cc index 86d3c186c0..b6d3479a39 100644 --- a/src/acl/AtBumpStep.cc +++ b/src/acl/AtBumpStep.cc @@ -4,7 +4,6 @@ #include "acl/AtBumpStepData.h" #include "client_side.h" #include "ssl/ServerBump.h" -//#include "ssl/support.h" int ACLAtStepStrategy::match (ACLData * &data, ACLFilledChecklist *checklist, ACLFlags &) diff --git a/src/acl/AtBumpStep.h b/src/acl/AtBumpStep.h index 26385a6b28..fff725dc0c 100644 --- a/src/acl/AtBumpStep.h +++ b/src/acl/AtBumpStep.h @@ -4,15 +4,16 @@ #include "acl/Strategy.h" #include "ssl/support.h" +/// \ingroup ACLAPI class ACLAtStepStrategy : public ACLStrategy { public: virtual int match (ACLData * &, ACLFilledChecklist *, ACLFlags &); static ACLAtStepStrategy *Instance(); - /* Not implemented to prevent copies of the instance. */ - /* Not private to prevent brain dead g+++ warnings about - * private constructors with no friends */ + /** + * Not implemented to prevent copies of the instance. + */ ACLAtStepStrategy(ACLAtStepStrategy const &); private: diff --git a/src/acl/Makefile.am b/src/acl/Makefile.am index e5051b35dc..c6330e2cd2 100644 --- a/src/acl/Makefile.am +++ b/src/acl/Makefile.am @@ -31,10 +31,6 @@ libstate_la_SOURCES = \ ## data-specific ACLs libacls_la_SOURCES = \ - AtBumpStep.cc \ - AtBumpStep.h \ - AtBumpStepData.cc \ - AtBumpStepData.h \ IntRange.cc \ IntRange.h \ RegexData.cc \ @@ -137,6 +133,10 @@ libacls_la_SOURCES = \ EXTRA_libacls_la_SOURCES = SSL_ACLS = \ + AtBumpStep.cc \ + AtBumpStep.h \ + AtBumpStepData.cc \ + AtBumpStepData.h \ CertificateData.cc \ CertificateData.h \ Certificate.cc \ diff --git a/src/cache_cf.cc b/src/cache_cf.cc index 324340cfc8..84467a2d38 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -243,7 +243,6 @@ static void free_sslproxy_cert_adapt(sslproxy_cert_adapt **cert_adapt); static void parse_sslproxy_ssl_bump(acl_access **ssl_bump); static void dump_sslproxy_ssl_bump(StoreEntry *entry, const char *name, acl_access *ssl_bump); static void free_sslproxy_ssl_bump(acl_access **ssl_bump); - #endif /* USE_OPENSSL */ static void parse_ftp_epsv(acl_access **ftp_epsv); @@ -4659,9 +4658,6 @@ static void parse_sslproxy_ssl_bump(acl_access **ssl_bump) } else if (strcmp(bm, Ssl::BumpModeStr[Ssl::bumpTerminate]) == 0) { action.kind = Ssl::bumpTerminate; bumpCfgStyleNow = bcsNew; - } else if (strcmp(bm, Ssl::BumpModeStr[Ssl::bumpErr]) == 0) { - action.kind = Ssl::bumpErr; - bumpCfgStyleNow = bcsNew; } else if (strcmp(bm, Ssl::BumpModeStr[Ssl::bumpNone]) == 0) { action.kind = Ssl::bumpNone; bumpCfgStyleNow = bcsNew; diff --git a/src/cf.data.pre b/src/cf.data.pre index 0e6a078faf..157c43e030 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1101,9 +1101,9 @@ IF USE_OPENSSL # At each SslBump step, Squid evaluates ssl_bump directives to find # the next bumping action (e.g., peek or splice). Valid SslBump step # values and the corresponding ssl_bump evaluation moments are: - # step1: After getting TCP-level and HTTP CONNECT info. - # step2: After getting SSL Client Hello info. - # step3: After getting SSL Server Hello info. + # SslBump1: After getting TCP-level and HTTP CONNECT info. + # SslBump2: After getting SSL Client Hello info. + # SslBump3: After getting SSL Server Hello info. ENDIF acl aclname any-of acl1 acl2 ... # match any one of the acls [fast or slow] @@ -2415,13 +2415,13 @@ DOC_START mimicked server certificate, with the client. peek - Receive client (step step1) or server (step step2) + Receive client (step SslBump1) or server (step SslBump2) certificate while preserving the possibility of splicing the connection. Peeking at the server certificate (during step 2) usually precludes bumping of the connection at step 3. stare - Receive client (step step1) or server (step step2) + Receive client (step SslBump1) or server (step SslBump2) certificate while preserving the possibility of bumping the connection. Staring at the server certificate (during step 2) usually precludes splicing of the connection at step 3. @@ -2429,7 +2429,7 @@ DOC_START terminate Close client and server connections. - Backward compatibility actions available at step step1: + Backward compatibility actions available at step SslBump1: client-first Bump the connection. Establish a secure connection with the diff --git a/src/client_side.cc b/src/client_side.cc index 81865e5cda..3c9c5115d9 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -4045,7 +4045,7 @@ void httpsSslBumpStep2AccessCheckDone(allow_t answer, void *data) debugs(33, 5, HERE << "Answer: " << answer << " kind:" << answer.kind); if (answer == ACCESS_ALLOWED && answer.kind != Ssl::bumpNone && answer.kind != Ssl::bumpSplice) { - if (answer.kind == Ssl::bumpTerminate || answer.kind == Ssl::bumpErr) + if (answer.kind == Ssl::bumpTerminate) comm_close(connState->clientConnection->fd); else { if (answer.kind != Ssl::bumpPeek && answer.kind != Ssl::bumpStare) diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc index b4a73f164d..5b515e090e 100644 --- a/src/ssl/PeerConnector.cc +++ b/src/ssl/PeerConnector.cc @@ -321,7 +321,7 @@ Ssl::PeerConnector::checkForPeekAndSplice(bool checkDone, Ssl::BumpMode peekMode else if (peekMode == Ssl::bumpBump && !srvBio->canBump()) peekMode = Ssl::bumpSplice; - if (peekMode == Ssl::bumpTerminate || peekMode == Ssl::bumpErr) { + if (peekMode == Ssl::bumpTerminate) { comm_close(serverConn->fd); comm_close(clientConn->fd); } else if (peekMode != Ssl::bumpSplice) { @@ -507,7 +507,7 @@ Ssl::PeerConnector::handleNegotiateError(const int ret) // occure in the next SSL_connect call, and we will fail again. #if 1 if ((request->clientConnectionManager->sslBumpMode == Ssl::bumpPeek || request->clientConnectionManager->sslBumpMode == Ssl::bumpStare) && srvBio->holdWrite()) { - debugs(81, DBG_IMPORTANT, "fwdNegotiateSSL: Error (" << ERR_error_string(ssl_lib_error, NULL) << ") but, hold write on SSL connection on FD " << fd); + debugs(81, 3, "Error (" << ERR_error_string(ssl_lib_error, NULL) << ") but, hold write on SSL connection on FD " << fd); checkForPeekAndSplice(false, Ssl::bumpNone); return; } diff --git a/src/ssl/bio.cc b/src/ssl/bio.cc index 450270781d..57bb973ccf 100644 --- a/src/ssl/bio.cc +++ b/src/ssl/bio.cc @@ -306,13 +306,13 @@ Ssl::ServerBio::read(char *buf, int size, BIO *table) } -// This function makes the required checks to examine if the client hello message -// can be compatible with the features provided by OpenSSL toolkit. +// This function makes the required checks to examine if the client hello +// message is compatible with the features provided by OpenSSL toolkit. // If the features are compatible and can be supported it tries to rewrite SSL -// structure members, to replace the hello message created by openSSL, with the +// structure members, to replace the hello message created by openSSL, with the // web client SSL hello message. -// This is mostly possible in the cases where the web client uses openSSL library -// similar with this one used by squid. +// This is mostly possible in the cases where the web client uses openSSL +// library similar with this one used by squid. static bool adjustSSL(SSL *ssl, Ssl::Bio::sslFeatures &features) { diff --git a/src/ssl/support.cc b/src/ssl/support.cc index c9b4ff3db6..877751a11b 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -68,7 +68,7 @@ const char *Ssl::BumpModeStr[] = { "bump", "splice", "terminate", - "err", + /*"err",*/ NULL }; diff --git a/src/ssl/support.h b/src/ssl/support.h index 33bb0d0090..2cfb469f01 100644 --- a/src/ssl/support.h +++ b/src/ssl/support.h @@ -158,7 +158,7 @@ GETX509ATTRIBUTE GetX509Fingerprint; \ingroup ServerProtocolSSLAPI * Supported ssl-bump modes */ -enum BumpMode {bumpNone = 0, bumpClientFirst, bumpServerFirst, bumpPeek, bumpStare, bumpBump, bumpSplice, bumpTerminate, bumpErr, bumpEnd}; +enum BumpMode {bumpNone = 0, bumpClientFirst, bumpServerFirst, bumpPeek, bumpStare, bumpBump, bumpSplice, bumpTerminate, /*bumpErr,*/ bumpEnd}; enum BumpStep {bumpStep1, bumpStep2, bumpStep3}; diff --git a/src/tests/stub_tunnel.cc b/src/tests/stub_tunnel.cc index 8a0a56e934..94a5b5cf95 100644 --- a/src/tests/stub_tunnel.cc +++ b/src/tests/stub_tunnel.cc @@ -8,3 +8,5 @@ class ClientHttpRequest; void tunnelStart(ClientHttpRequest *, int64_t *, int *, const AccessLogEntryPointer &al) STUB +void switchToTunnel(HttpRequest *request, int *status_ptr, Comm::ConnectionPointer &clientConn, Comm::ConnectionPointer &srvConn) STUB + diff --git a/src/tunnel.cc b/src/tunnel.cc index 6b105f348e..a3a4c22233 100644 --- a/src/tunnel.cc +++ b/src/tunnel.cc @@ -966,7 +966,6 @@ void TunnelStateData::connectToPeer() { const Comm::ConnectionPointer &srv = server.conn; - const Comm::ConnectionPointer &cln = client.conn; #if USE_OPENSSL if (CachePeer *p = srv->getPeer()) { @@ -975,7 +974,7 @@ TunnelStateData::connectToPeer() "TunnelStateData::ConnectedToPeer", MyAnswerDialer(&TunnelStateData::connectedToPeer, this)); Ssl::PeerConnector *connector = - new Ssl::PeerConnector(request, srv, cln, callback); + new Ssl::PeerConnector(request, srv, client.conn, callback); AsyncJob::Start(connector); // will call our callback return; } @@ -1106,6 +1105,7 @@ TunnelStateData::Connection::setDelayId(DelayId const &newDelay) #endif +#if USE_OPENSSL int default_read_method(int, char *, int); int default_write_method(int, const char *, int); void @@ -1183,3 +1183,4 @@ switchToTunnel(HttpRequest *request, int *status_ptr, Comm::ConnectionPointer &c CommIoCbPtrFun(tunnelConnectedWriteDone, tunnelState)); Comm::Write(tunnelState->client.conn, buf.content(), buf.contentSize(), call, NULL); } +#endif //USE_OPENSSL