squid : Optimising Web Delivery

Go to the documentation of this file.

 /*
  * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
  *
  * Squid software is distributed under GPLv2+ license and includes
  * contributions from numerous individuals and organizations.
  * Please see the COPYING and CONTRIBUTORS files for details.
  */
  
 #ifndef SQUID_SRC_SECURITY_PEERCONNECTOR_H
 #define SQUID_SRC_SECURITY_PEERCONNECTOR_H
  
 #include "acl/Acl.h"
 #include "acl/ChecklistFiller.h"
 #include "base/AsyncCallbacks.h"
 #include "base/AsyncJob.h"
 #include "base/JobWait.h"
 #include "CommCalls.h"
 #include "http/forward.h"
 #include "security/EncryptorAnswer.h"
 #include "security/forward.h"
 #include "security/KeyLogger.h"
 #if USE_OPENSSL
 #include "ssl/support.h"
 #endif
  
 #include <iosfwd>
 #include <queue>
  
 class Downloader;
 class DownloaderAnswer;
 class AccessLogEntry;
 typedef RefCount<AccessLogEntry> AccessLogEntryPointer;
  
 namespace Security
 {
  
 class IoResult;
 typedef RefCount<IoResult> IoResultPointer;
  
 class PeerConnector: virtual public AsyncJob, public Acl::ChecklistFiller
 {
     CBDATA_INTERMEDIATE();
  
 public:
     typedef CbcPointer<PeerConnector> Pointer;
  
     PeerConnector(const Comm::ConnectionPointer &aServerConn,
                   const AsyncCallback<EncryptorAnswer> &,
                   const AccessLogEntryPointer &alp,
                   const time_t timeout = 0);
     ~PeerConnector() override;
  
     bool noteFwdPconnUse;
  
 protected:
     // AsyncJob API
     void start() override;
     bool doneAll() const override;
     void swanSong() override;
     const char *status() const override;
  
     /* Acl::ChecklistFiller API */
     void fillChecklist(ACLFilledChecklist &) const override;
  
     void commTimeoutHandler(const CommTimeoutCbParams &);
  
     void commCloseHandler(const CommCloseCbParams &params);
  
     virtual bool initialize(Security::SessionPointer &);
  
     void negotiate();
  
     bool sslFinalized();
  
     void handleNegotiationResult(const Security::IoResult &);
  
     void noteWantRead();
  
     bool isSuspended() const { return static_cast<bool>(suspendedError_); }
  
 #if USE_OPENSSL
     void suspendNegotiation(const Security::IoResult &lastError);
  
     void resumeNegotiation();
  
     void handleMissingCertificates(const Security::IoResult &lastError);
  
     void startCertDownloading(SBuf &url);
  
     void certDownloadingDone(DownloaderAnswer &);
 #endif
  
     virtual void noteWantWrite();
  
     virtual void noteNegotiationError(const Security::ErrorDetailPointer &);
  
     virtual void noteNegotiationDone(ErrorState *) {}
  
     virtual FuturePeerContext *peerContext() const = 0;
  
     Comm::ConnectionPointer const &serverConnection() const { return serverConn; }
  
     void bail(ErrorState *error);
  
     void sendSuccess();
  
     void callBack();
  
     void disconnect();
  
     void countFailingConnection();
  
     void bypassCertValidator() {useCertValidator_ = false;}
  
     void recordNegotiationDetails();
  
     EncryptorAnswer &answer();
  
     HttpRequestPointer request; 
     Comm::ConnectionPointer serverConn; 
     AccessLogEntryPointer al; 
  
     AsyncCallback<EncryptorAnswer> callback;
  
 private:
     PeerConnector(const PeerConnector &); // not implemented
     PeerConnector &operator =(const PeerConnector &); // not implemented
  
 #if USE_OPENSSL
     unsigned int certDownloadNestingLevel() const;
  
     void sslCrtvdHandleReply(Ssl::CertValidationResponsePointer &);
  
     Security::CertErrors *sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &, ErrorDetailPointer &);
  
     bool computeMissingCertificateUrls(const Connection &);
 #endif
  
     static void NegotiateSsl(int fd, void *data);
     void negotiateSsl();
  
     static const unsigned int MaxCertsDownloads = 10;
  
     static const unsigned int MaxNestedDownloads = 3;
  
     Security::KeyLogger keyLogger;
  
     AsyncCall::Pointer closeHandler; 
     time_t negotiationTimeout; 
     time_t startTime; 
     bool useCertValidator_; 
     std::queue<SBuf> urlsOfMissingCerts;
     unsigned int certsDownloads; 
  
 #if USE_OPENSSL
     Ssl::X509_STACK_Pointer downloadedCerts;
 #endif
  
     Security::IoResultPointer suspendedError_;
  
     JobWait<Downloader> certDownloadWait; 
 };
  
 } // namespace Security
  
 #endif /* SQUID_SRC_SECURITY_PEERCONNECTOR_H */
  

AsyncJob

Definition: AsyncJob.h:31

Security::PeerConnector::callback

AsyncCallback< EncryptorAnswer > callback

answer destination

Definition: PeerConnector.h:170

Security::PeerConnector::startTime

time_t startTime

when the peer connector negotiation started

Definition: PeerConnector.h:202

CbDataList

Definition: CbDataList.h:15

ACLFilledChecklist

Definition: FilledChecklist.h:33

Security::PeerConnector::initialize

virtual bool initialize(Security::SessionPointer &)

Definition: PeerConnector.cc:139

Security::PeerConnector::PeerConnector

PeerConnector(const Comm::ConnectionPointer &aServerConn, const AsyncCallback< EncryptorAnswer > &, const AccessLogEntryPointer &alp, const time_t timeout=0)

Definition: PeerConnector.cc:40

Security::PeerConnector::answer

EncryptorAnswer & answer()

convenience method to get to the answer fields

Definition: PeerConnector.cc:497

Security::PeerConnector::NegotiateSsl

static void NegotiateSsl(int fd, void *data)

A wrapper for Comm::SetSelect() notifications.

Definition: PeerConnector.cc:439

AsyncJob.h

Security::PeerConnector::MaxNestedDownloads

static const unsigned int MaxNestedDownloads

The maximum number of inter-dependent Downloader jobs a worker may initiate.

Definition: PeerConnector.h:195

Security::PeerConnector::callBack

void callBack()

a bail(), sendSuccess() helper: sends results to the initiator

Definition: PeerConnector.cc:555

Security::PeerConnector::serverConn

Comm::ConnectionPointer serverConn

TCP connection to the peer.

Definition: PeerConnector.h:166

Security::PeerConnector::sslCrtvdHandleReply

void sslCrtvdHandleReply(Ssl::CertValidationResponsePointer &)

Process response from cert validator helper.

Definition: PeerConnector.cc:334

Security::EncryptorAnswer

Definition: EncryptorAnswer.h:21

Security::PeerConnector::suspendedError_

Security::IoResultPointer suspendedError_

outcome of the last (failed and) suspended negotiation attempt (or nil)

Definition: PeerConnector.h:214

Security::PeerConnector::request

HttpRequestPointer request

peer connection trigger or cause

Definition: PeerConnector.h:165

Security::PeerConnector::certsDownloads

unsigned int certsDownloads

the number of downloaded missing certificates

Definition: PeerConnector.h:206

Security::PeerConnector::commTimeoutHandler

void commTimeoutHandler(const CommTimeoutCbParams &)

The connection read timeout callback handler.

Definition: PeerConnector.cc:129

error

void error(char *format,...)

SBuf

Definition: SBuf.h:93

Ssl::X509_STACK_Pointer

std::unique_ptr< STACK_OF(X509), sk_X509_free_wrapper > X509_STACK_Pointer

Definition: gadgets.h:53

AsyncCallback

a smart AsyncCall pointer for delivery of future results

Definition: AsyncCallbacks.h:31

Security::PeerConnector::certDownloadNestingLevel

unsigned int certDownloadNestingLevel() const

the number of concurrent PeerConnector jobs waiting for us

Definition: PeerConnector.cc:601

Security::PeerConnector::~PeerConnector

~PeerConnector() override

CbcPointer

Definition: AsyncJob.h:17

support.h

Security::PeerConnector::swanSong

void swanSong() override

Definition: PeerConnector.cc:563

Security::PeerConnector::certDownloadWait

JobWait< Downloader > certDownloadWait

waits for the missing certificate to be downloaded

Definition: PeerConnector.h:216

Security::PeerConnector::negotiate

void negotiate()

Definition: PeerConnector.cc:213

Acl.h

Security::IoResult

a summary a TLS I/O operation outcome

Definition: Io.h:19

Security::PeerConnector::operator=

PeerConnector & operator=(const PeerConnector &)

Security::FuturePeerContext

A combination of PeerOptions and the corresponding Context.

Definition: PeerOptions.h:154

Security::PeerConnector::isSuspended

bool isSuspended() const

Whether TLS negotiation has been paused and not yet resumed.

Definition: PeerConnector.h:101

Security::PeerConnector::peerContext

virtual FuturePeerContext * peerContext() const =0

Security::PeerConnector::bypassCertValidator

void bypassCertValidator()

If called the certificates validator will not used.

Definition: PeerConnector.h:156

AccessLogEntry

Definition: AccessLogEntry.h:40

Security::PeerConnector::closeHandler

AsyncCall::Pointer closeHandler

we call this when the connection closed

Definition: PeerConnector.h:200

Security::PeerConnector::recordNegotiationDetails

void recordNegotiationDetails()

Definition: PeerConnector.cc:193

Security::PeerConnector::bail

void bail(ErrorState *error)

sends the given error to the initiator

Definition: PeerConnector.cc:504

Security::PeerConnector::noteNegotiationDone

virtual void noteNegotiationDone(ErrorState *)

Definition: PeerConnector.h:131

Security::PeerConnector::status

const char * status() const override

internal cleanup; do not call directly

Definition: PeerConnector.cc:578

Security::PeerConnector::useCertValidator_

bool useCertValidator_

Definition: PeerConnector.h:203

EncryptorAnswer.h

Security::PeerConnector::disconnect

void disconnect()

a bail(), sendSuccess() helper: stops monitoring the connection

Definition: PeerConnector.cc:538

Security::PeerConnector

Definition: PeerConnector.h:48

Security::PeerConnector::negotiationTimeout

time_t negotiationTimeout

the SSL connection timeout to use

Definition: PeerConnector.h:201

Security::PeerConnector::handleMissingCertificates

void handleMissingCertificates(const Security::IoResult &lastError)

Either initiates fetching of missing certificates or bails with an error.

Definition: PeerConnector.cc:680

Ssl::CertValidationResponse

Definition: cert_validate_message.h:38

Security::PeerConnector::certDownloadingDone

void certDownloadingDone(DownloaderAnswer &)

Called by Downloader after a certificate object downloaded.

Definition: PeerConnector.cc:624

AsyncCallbacks.h

Security::PeerConnector::downloadedCerts

Ssl::X509_STACK_Pointer downloadedCerts

successfully downloaded intermediate certificates (omitted by the peer)

Definition: PeerConnector.h:210

forward.h

Security::PeerConnector::suspendNegotiation

void suspendNegotiation(const Security::IoResult &lastError)

Definition: PeerConnector.cc:730

Security::PeerConnector::noteNegotiationError

virtual void noteNegotiationError(const Security::ErrorDetailPointer &)

Called when the SSL_connect function aborts with an SSL negotiation error.

Definition: PeerConnector.cc:485

Security::PeerConnector::MaxCertsDownloads

static const unsigned int MaxCertsDownloads

The maximum number of missing certificates a single PeerConnector may download.

Definition: PeerConnector.h:192

Security::KeyLogger

manages collecting and logging secrets of a TLS connection to tls_key_log

Definition: KeyLogger.h:23

Security::PeerConnector::countFailingConnection

void countFailingConnection()

updates connection usage history before the connection is closed

Definition: PeerConnector.cc:528

Security::Connection

SSL Connection

Definition: Session.h:49

KeyLogger.h

ChecklistFiller.h

forward.h

Security::PeerConnector::sslCrtvdCheckForErrors

Security::CertErrors * sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &, ErrorDetailPointer &)

Check SSL errors returned from cert validator against sslproxy_cert_error access list.

Definition: PeerConnector.cc:385

Security::PeerConnector::negotiateSsl

void negotiateSsl()

Comm::SetSelect() callback. Direct calls tickle/resume negotiations.

Definition: PeerConnector.cc:449

Downloader

Definition: Downloader.h:45

Security::PeerConnector::CBDATA_INTERMEDIATE

CBDATA_INTERMEDIATE()

Security::IoResultPointer

RefCount< IoResult > IoResultPointer

Definition: PeerConnector.h:37

RefCount< AccessLogEntry >

Security::PeerConnector::doneAll

bool doneAll() const override

whether positive goal has been reached

Definition: PeerConnector.cc:63

AccessLogEntryPointer

RefCount< AccessLogEntry > AccessLogEntryPointer

Definition: PeerConnector.h:31

JobWait.h

Security::PeerConnector::urlsOfMissingCerts

std::queue< SBuf > urlsOfMissingCerts

The list of URLs where missing certificates should be downloaded.

Definition: PeerConnector.h:205

Security::PeerConnector::keyLogger

Security::KeyLogger keyLogger

managers logging of the being-established TLS connection secrets

Definition: PeerConnector.h:198

Security::PeerConnector::start

void start() override

Preps connection and SSL state. Calls negotiate().

Definition: PeerConnector.cc:70

Security::SessionPointer

std::shared_ptr< SSL > SessionPointer

Definition: Session.h:53

Security::PeerConnector::handleNegotiationResult

void handleNegotiationResult(const Security::IoResult &)

Called after each negotiation step to handle the result.

Definition: PeerConnector.cc:259

Security::PeerConnector::Pointer

CbcPointer< PeerConnector > Pointer

Definition: PeerConnector.h:53

Security::PeerConnector::resumeNegotiation

void resumeNegotiation()

Resumes TLS negotiation paused by suspendNegotiation()

Definition: PeerConnector.cc:740

Security::PeerConnector::fillChecklist

void fillChecklist(ACLFilledChecklist &) const override

configure the given checklist (to reflect the current transaction state)

Definition: PeerConnector.cc:91

JobWait< Downloader >

CommTimeoutCbParams

Definition: CommCalls.h:133

Security::PeerConnector::sslFinalized

bool sslFinalized()

Definition: PeerConnector.cc:289

Security::PeerConnector::al

AccessLogEntryPointer al

info for the future access.log entry

Definition: PeerConnector.h:167

CommCloseCbParams

Definition: CommCalls.h:127

Security::PeerConnector::commCloseHandler

void commCloseHandler(const CommCloseCbParams &params)

The comm_close callback handler.

Definition: PeerConnector.cc:109

ErrorState

Definition: errorpage.h:88

Security::PeerConnector::computeMissingCertificateUrls

bool computeMissingCertificateUrls(const Connection &)

finds URLs of (some) missing intermediate certificates or returns false

Definition: PeerConnector.cc:706

Security::PeerConnector::noteFwdPconnUse

bool noteFwdPconnUse

hack: whether the connection requires fwdPconnPool->noteUses()

Definition: PeerConnector.h:62

Security

Network/connection security abstraction layer.

Definition: Connection.h:33

CommCalls.h

Security::PeerConnector::noteWantWrite

virtual void noteWantWrite()

Definition: PeerConnector.cc:474

Acl::ChecklistFiller

an interface for those capable of configuring an ACLFilledChecklist object

Definition: ChecklistFiller.h:18

Security::PeerConnector::serverConnection

const Comm::ConnectionPointer & serverConnection() const

mimics FwdState to minimize changes to FwdState::initiate/negotiateSsl

Definition: PeerConnector.h:138

Security::PeerConnector::noteWantRead

void noteWantRead()

Definition: PeerConnector.cc:456

Security::PeerConnector::sendSuccess

void sendSuccess()

sends the encrypted connection to the initiator

Definition: PeerConnector.cc:519

DownloaderAnswer

download result

Definition: Downloader.h:28

Security::PeerConnector::startCertDownloading

void startCertDownloading(SBuf &url)

Start downloading procedure for the given URL.

Definition: PeerConnector.cc:614

squid-cache.org

Optimising Web Delivery

Introduction

Documentation

Support

Miscellaneous