PeerConnector.h
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 #ifndef SQUID_SRC_SECURITY_PEERCONNECTOR_H
10 #define SQUID_SRC_SECURITY_PEERCONNECTOR_H
11 
12 #include "acl/Acl.h"
13 #include "acl/ChecklistFiller.h"
14 #include "base/AsyncCbdataCalls.h"
15 #include "base/AsyncJob.h"
16 #include "base/JobWait.h"
17 #include "CommCalls.h"
18 #include "http/forward.h"
20 #include "security/forward.h"
21 #include "security/KeyLogger.h"
22 #if USE_OPENSSL
23 #include "ssl/support.h"
24 #endif
25 
26 #include <iosfwd>
27 #include <queue>
28 
29 class ErrorState;
30 class Downloader;
31 class AccessLogEntry;
33 
34 namespace Security
35 {
36 
37 class IoResult;
39 
48 class PeerConnector: virtual public AsyncJob, public Acl::ChecklistFiller
49 {
51 
52 public:
54 
56  class CbDialer
57  {
58  public:
59  virtual ~CbDialer() {}
62  };
63 
64 public:
65  PeerConnector(const Comm::ConnectionPointer &aServerConn,
66  AsyncCall::Pointer &aCallback,
67  const AccessLogEntryPointer &alp,
68  const time_t timeout = 0);
69  virtual ~PeerConnector();
70 
73 
74 protected:
75  // AsyncJob API
76  virtual void start();
77  virtual bool doneAll() const;
78  virtual void swanSong();
79  virtual const char *status() const;
80 
81  /* Acl::ChecklistFiller API */
82  virtual void fillChecklist(ACLFilledChecklist &) const;
83 
86 
88  void commCloseHandler(const CommCloseCbParams &params);
89 
91  virtual bool initialize(Security::SessionPointer &);
92 
95  void negotiate();
96 
100  bool sslFinalized();
101 
104 
108  void noteWantRead();
109 
111  bool isSuspended() const { return static_cast<bool>(suspendedError_); }
112 
113 #if USE_OPENSSL
114  void suspendNegotiation(const Security::IoResult &lastError);
117 
119  void resumeNegotiation();
120 
122  void handleMissingCertificates(const Security::IoResult &lastError);
123 
125  void startCertDownloading(SBuf &url);
126 
128  void certDownloadingDone(SBuf &object, int status);
129 #endif
130 
133  virtual void noteWantWrite();
134 
137 
141  virtual void noteNegotiationDone(ErrorState *) {}
142 
146 
149 
151  void bail(ErrorState *error);
152 
154  void sendSuccess();
155 
157  void callBack();
158 
160  void disconnect();
161 
163  void countFailingConnection();
164 
167 
171 
174 
179 private:
180  PeerConnector(const PeerConnector &); // not implemented
181  PeerConnector &operator =(const PeerConnector &); // not implemented
182 
183 #if USE_OPENSSL
184  unsigned int certDownloadNestingLevel() const;
185 
188 
191 
193 #endif
194 
195  static void NegotiateSsl(int fd, void *data);
196  void negotiateSsl();
197 
199  static const unsigned int MaxCertsDownloads = 10;
200 
202  static const unsigned int MaxNestedDownloads = 3;
203 
206 
209  time_t startTime;
211  std::queue<SBuf> urlsOfMissingCerts;
213  unsigned int certsDownloads;
214 
215 #if USE_OPENSSL
218 #endif
219 
222 
224 };
225 
226 } // namespace Security
227 
228 #endif /* SQUID_SRC_SECURITY_PEERCONNECTOR_H */
229 
PeerConnector(const Comm::ConnectionPointer &aServerConn, AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, const time_t timeout=0)
time_t startTime
when the peer connector negotiation started
std::shared_ptr< SSL_CTX > ContextPointer
Definition: Context.h:29
virtual bool initialize(Security::SessionPointer &)
EncryptorAnswer & answer()
convenience method to get to the answer fields
virtual Security::ContextPointer getTlsContext()=0
static void NegotiateSsl(int fd, void *data)
A wrapper for Comm::SetSelect() notifications.
static const unsigned int MaxNestedDownloads
The maximum number of inter-dependent Downloader jobs a worker may initiate.
void callBack()
a bail(), sendSuccess() helper: sends results to the initiator
Comm::ConnectionPointer serverConn
TCP connection to the peer.
Security::IoResultPointer suspendedError_
outcome of the last (failed and) suspended negotiation attempt (or nil)
HttpRequestPointer request
peer connection trigger or cause
unsigned int certsDownloads
the number of downloaded missing certificates
void commTimeoutHandler(const CommTimeoutCbParams &)
The connection read timeout callback handler.
void error(char *format,...)
Definition: SBuf.h:87
std::unique_ptr< STACK_OF(X509), sk_X509_free_wrapper > X509_STACK_Pointer
Definition: gadgets.h:47
void certDownloadingDone(SBuf &object, int status)
Called by Downloader after a certificate object downloaded.
unsigned int certDownloadNestingLevel() const
the number of concurrent PeerConnector jobs waiting for us
JobWait< Downloader > certDownloadWait
waits for the missing certificate to be downloaded
virtual void fillChecklist(ACLFilledChecklist &) const
configure the given checklist (to reflect the current transaction state)
a summary a TLS I/O operation outcome
Definition: Io.h:19
PeerConnector & operator=(const PeerConnector &)
bool isSuspended() const
Whether TLS negotiation has been paused and not yet resumed.
void bypassCertValidator()
If called the certificates validator will not used.
AsyncCall::Pointer closeHandler
we call this when the connection closed
void bail(ErrorState *error)
sends the given error to the initiator
virtual void noteNegotiationDone(ErrorState *)
void disconnect()
a bail(), sendSuccess() helper: stops monitoring the connection
time_t negotiationTimeout
the SSL connection timeout to use
void handleMissingCertificates(const Security::IoResult &lastError)
Either initiates fetching of missing certificates or bails with an error.
Ssl::X509_STACK_Pointer downloadedCerts
successfully downloaded intermediate certificates (omitted by the peer)
Comm::ConnectionPointer const & serverConnection() const
mimics FwdState to minimize changes to FwdState::initiate/negotiateSsl
void suspendNegotiation(const Security::IoResult &lastError)
CBDATA_CLASS(PeerConnector)
virtual void noteNegotiationError(const Security::ErrorDetailPointer &)
Called when the SSL_connect function aborts with an SSL negotiation error.
Callback dialer API to allow PeerConnector to set the answer.
Definition: PeerConnector.h:57
static const unsigned int MaxCertsDownloads
The maximum number of missing certificates a single PeerConnector may download.
manages collecting and logging secrets of a TLS connection to tls_key_log
Definition: KeyLogger.h:24
void countFailingConnection()
updates connection usage history before the connection is closed
virtual const char * status() const
internal cleanup; do not call directly
SSL Connection
Definition: Session.h:45
Security::CertErrors * sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &, ErrorDetailPointer &)
Check SSL errors returned from cert validator against sslproxy_cert_error access list.
void negotiateSsl()
Comm::SetSelect() callback. Direct calls tickle/resume negotiations.
RefCount< IoResult > IoResultPointer
Definition: PeerConnector.h:37
RefCount< AccessLogEntry > AccessLogEntryPointer
Definition: PeerConnector.h:31
std::queue< SBuf > urlsOfMissingCerts
The list of URLs where missing certificates should be downloaded.
Security::KeyLogger keyLogger
managers logging of the being-established TLS connection secrets
AsyncCall::Pointer callback
we call this with the results
std::shared_ptr< SSL > SessionPointer
Definition: Session.h:49
void handleNegotiationResult(const Security::IoResult &)
Called after each negotiation step to handle the result.
virtual bool doneAll() const
whether positive goal has been reached
CbcPointer< PeerConnector > Pointer
Definition: PeerConnector.h:53
virtual Security::EncryptorAnswer & answer()=0
gives PeerConnector access to the in-dialer answer
void resumeNegotiation()
Resumes TLS negotiation paused by suspendNegotiation()
AccessLogEntryPointer al
info for the future access.log entry
void commCloseHandler(const CommCloseCbParams &params)
The comm_close callback handler.
void sslCrtvdHandleReply(Ssl::CertValidationResponsePointer)
Process response from cert validator helper.
bool computeMissingCertificateUrls(const Connection &)
finds URLs of (some) missing intermediate certificates or returns false
PeerConnector(const PeerConnector &)
bool noteFwdPconnUse
hack: whether the connection requires fwdPconnPool->noteUses()
Definition: PeerConnector.h:72
virtual void start()
Preps connection and SSL state. Calls negotiate().
Network/connection security abstraction layer.
Definition: Connection.h:34
virtual void noteWantWrite()
an interface for those capable of configuring an ACLFilledChecklist object
void sendSuccess()
sends the encrypted connection to the initiator
void startCertDownloading(SBuf &url)
Start downloading procedure for the given URL.

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors