A simple PeerConnector for SSL/TLS cache_peers. No SslBump capabilities. More...

#include <BlindPeerConnector.h>

Inheritance diagram for Security::BlindPeerConnector:
Collaboration diagram for Security::BlindPeerConnector:

Public Types

typedef CbcPointer< PeerConnectorPointer

Public Member Functions

 BlindPeerConnector (HttpRequestPointer &aRequest, const Comm::ConnectionPointer &aServerConn, const AsyncCallback< EncryptorAnswer > &aCallback, const AccessLogEntryPointer &alp, const time_t timeout=0)
bool initialize (Security::SessionPointer &) override
Security::ContextPointer getTlsContext () override
 Return the configured TLS context object. More...
void noteNegotiationDone (ErrorState *) override
bool canBeCalled (AsyncCall &call) const
 whether we can be called More...
void callStart (AsyncCall &call)
virtual void callEnd ()
 called right after the called job method More...
virtual void callException (const std::exception &e)
 called when the job throws during an async call More...
void handleStopRequest ()
 process external request to terminate now (i.e. during this async call) More...
virtual void * toCbdata ()=0

Static Public Member Functions

static void Start (const Pointer &job)

Public Attributes

bool noteFwdPconnUse
 hack: whether the connection requires fwdPconnPool->noteUses() More...
const InstanceId< AsyncJobid
 job identifier More...

Protected Member Functions

void start () override
 Preps connection and SSL state. Calls negotiate(). More...
bool doneAll () const override
 whether positive goal has been reached More...
void swanSong () override
const char * status () const override
 internal cleanup; do not call directly More...
void fillChecklist (ACLFilledChecklist &) const override
 configure the given checklist (to reflect the current transaction state) More...
void commTimeoutHandler (const CommTimeoutCbParams &)
 The connection read timeout callback handler. More...
void commCloseHandler (const CommCloseCbParams &params)
 The comm_close callback handler. More...
void negotiate ()
bool sslFinalized ()
void handleNegotiationResult (const Security::IoResult &)
 Called after each negotiation step to handle the result. More...
void noteWantRead ()
bool isSuspended () const
 Whether TLS negotiation has been paused and not yet resumed. More...
void suspendNegotiation (const Security::IoResult &lastError)
void resumeNegotiation ()
 Resumes TLS negotiation paused by suspendNegotiation() More...
void handleMissingCertificates (const Security::IoResult &lastError)
 Either initiates fetching of missing certificates or bails with an error. More...
void startCertDownloading (SBuf &url)
 Start downloading procedure for the given URL. More...
void certDownloadingDone (DownloaderAnswer &)
 Called by Downloader after a certificate object downloaded. More...
virtual void noteWantWrite ()
virtual void noteNegotiationError (const Security::ErrorDetailPointer &)
 Called when the SSL_connect function aborts with an SSL negotiation error. More...
Comm::ConnectionPointer const & serverConnection () const
 mimics FwdState to minimize changes to FwdState::initiate/negotiateSsl More...
void bail (ErrorState *error)
 sends the given error to the initiator More...
void sendSuccess ()
 sends the encrypted connection to the initiator More...
void callBack ()
 a bail(), sendSuccess() helper: sends results to the initiator More...
void disconnect ()
 a bail(), sendSuccess() helper: stops monitoring the connection More...
void countFailingConnection (const ErrorState *)
 updates connection usage history before the connection is closed More...
void bypassCertValidator ()
 If called the certificates validator will not used. More...
void recordNegotiationDetails ()
EncryptorAnsweranswer ()
 convenience method to get to the answer fields More...
void deleteThis (const char *aReason)
void mustStop (const char *aReason)
bool done () const
 the job is destroyed in callEnd() when done() More...

Protected Attributes

HttpRequestPointer request
 peer connection trigger or cause More...
Comm::ConnectionPointer serverConn
 TCP connection to the peer. More...
AccessLogEntryPointer al
 info for the future access.log entry More...
AsyncCallback< EncryptorAnswercallback
 answer destination More...
const char * stopReason
 reason for forcing done() to be true More...
const char * typeName
 kid (leaf) class name, for debugging More...
AsyncCall::Pointer inCall
 the asynchronous call being handled, if any More...
bool started_ = false
 Start() has finished successfully. More...
bool swanSang_ = false
 swanSong() was called More...

Private Member Functions

 CBDATA_CHILD (BlindPeerConnector)
unsigned int certDownloadNestingLevel () const
 the number of concurrent PeerConnector jobs waiting for us More...
void sslCrtvdHandleReply (Ssl::CertValidationResponsePointer &)
 Process response from cert validator helper. More...
Security::CertErrorssslCrtvdCheckForErrors (Ssl::CertValidationResponse const &, ErrorDetailPointer &)
 Check SSL errors returned from cert validator against sslproxy_cert_error access list. More...
bool computeMissingCertificateUrls (const Connection &)
 finds URLs of (some) missing intermediate certificates or returns false More...
void negotiateSsl ()
 Comm::SetSelect() callback. Direct calls tickle/resume negotiations. More...
virtual void finalizedInCbdataChild ()=0
 hack: ensure CBDATA_CHILD() after a toCbdata()-defining CBDATA_INTERMEDIATE() More...

Static Private Member Functions

static void NegotiateSsl (int fd, void *data)
 A wrapper for Comm::SetSelect() notifications. More...

Private Attributes

Security::KeyLogger keyLogger
 managers logging of the being-established TLS connection secrets More...
AsyncCall::Pointer closeHandler
 we call this when the connection closed More...
time_t negotiationTimeout
 the SSL connection timeout to use More...
time_t startTime
 when the peer connector negotiation started More...
bool useCertValidator_
std::queue< SBufurlsOfMissingCerts
 The list of URLs where missing certificates should be downloaded. More...
unsigned int certsDownloads
 the number of downloaded missing certificates More...
Ssl::X509_STACK_Pointer downloadedCerts
 successfully downloaded intermediate certificates (omitted by the peer) More...
Security::IoResultPointer suspendedError_
 outcome of the last (failed and) suspended negotiation attempt (or nil) More...
JobWait< DownloadercertDownloadWait
 waits for the missing certificate to be downloaded More...

Static Private Attributes

static const unsigned int MaxCertsDownloads = 10
 The maximum number of missing certificates a single PeerConnector may download. More...
static const unsigned int MaxNestedDownloads = 3
 The maximum number of inter-dependent Downloader jobs a worker may initiate. More...

Detailed Description

Definition at line 20 of file BlindPeerConnector.h.

Member Typedef Documentation

◆ Pointer

Definition at line 53 of file PeerConnector.h.

Constructor & Destructor Documentation

◆ BlindPeerConnector()

Security::BlindPeerConnector::BlindPeerConnector ( HttpRequestPointer aRequest,
const Comm::ConnectionPointer aServerConn,
const AsyncCallback< EncryptorAnswer > &  aCallback,
const AccessLogEntryPointer alp,
const time_t  timeout = 0 

Definition at line 23 of file BlindPeerConnector.h.

References Security::PeerConnector::request.

Member Function Documentation

◆ answer()

Security::EncryptorAnswer & Security::PeerConnector::answer ( )

Definition at line 499 of file PeerConnector.cc.

References assert.

◆ bail()

void Security::PeerConnector::bail ( ErrorState error)

Definition at line 506 of file PeerConnector.cc.

References error(), and Must.

◆ bypassCertValidator()

void Security::PeerConnector::bypassCertValidator ( )

Definition at line 156 of file PeerConnector.h.

References Security::PeerConnector::useCertValidator_.

◆ callBack()

void Security::PeerConnector::callBack ( )

Definition at line 557 of file PeerConnector.cc.

References Assure, conn, debugs, and ScheduleCallHere.

◆ callEnd()

void AsyncJob::callEnd ( )

◆ callException()

◆ callStart()

void AsyncJob::callStart ( AsyncCall call)

◆ canBeCalled()

bool AsyncJob::canBeCalled ( AsyncCall call) const

Definition at line 102 of file AsyncJob.cc.

References AsyncCall::cancel(), debugs, and AsyncJob::inCall.


Security::BlindPeerConnector::CBDATA_CHILD ( BlindPeerConnector  )


Security::PeerConnector::CBDATA_INTERMEDIATE ( )

◆ certDownloadingDone()

void Security::PeerConnector::certDownloadingDone ( DownloaderAnswer downloaderAnswer)

◆ certDownloadNestingLevel()

unsigned int Security::PeerConnector::certDownloadNestingLevel ( ) const

Definition at line 603 of file PeerConnector.cc.

◆ commCloseHandler()

void Security::PeerConnector::commCloseHandler ( const CommCloseCbParams params)

◆ commTimeoutHandler()

void Security::PeerConnector::commTimeoutHandler ( const CommTimeoutCbParams )

◆ computeMissingCertificateUrls()

bool Security::PeerConnector::computeMissingCertificateUrls ( const Connection sconn)

Definition at line 708 of file PeerConnector.cc.

References assert, debugs, and Ssl::missingChainCertificatesUrls().

◆ countFailingConnection()

void Security::PeerConnector::countFailingConnection ( const ErrorState error)

◆ deleteThis()

void AsyncJob::deleteThis ( const char *  aReason)

◆ disconnect()

void Security::PeerConnector::disconnect ( )

◆ done()

bool AsyncJob::done ( ) const

◆ doneAll()

bool Security::PeerConnector::doneAll ( ) const

Reimplemented from AsyncJob.

Definition at line 61 of file PeerConnector.cc.

References AsyncJob::doneAll().

◆ fillChecklist()

void Security::PeerConnector::fillChecklist ( ACLFilledChecklist ) const

◆ finalizedInCbdataChild()

virtual void CbdataParent::finalizedInCbdataChild ( )
privatepure virtualinherited

◆ getTlsContext()

◆ handleMissingCertificates()

void Security::PeerConnector::handleMissingCertificates ( const Security::IoResult lastError)

◆ handleNegotiationResult()

◆ handleStopRequest()

void AsyncJob::handleStopRequest ( )

Definition at line 71 of file AsyncJob.h.

References AsyncJob::mustStop().

◆ initialize()

bool Security::BlindPeerConnector::initialize ( Security::SessionPointer serverSession)

Calls parent initialize(), configures the created TLS session object to try and reuse a TLS session and sets the hostname to use for certificate validation

true on successful initialization

Reimplemented from Security::PeerConnector.

Definition at line 34 of file BlindPeerConnector.cc.

References assert, SBuf::c_str(), debugs, Security::PeerOptions::encryptTransport, Security::PeerConnector::initialize(), SBuf::isEmpty(), CachePeer::secure, Ssl::setClientSNI(), Security::SetSessionResumeData(), ssl_ex_index_server, Security::PeerOptions::sslDomain, and CachePeer::sslSession.

◆ isSuspended()

bool Security::PeerConnector::isSuspended ( ) const

Definition at line 101 of file PeerConnector.h.

References Security::PeerConnector::suspendedError_.

◆ mustStop()

◆ negotiate()

void Security::PeerConnector::negotiate ( )

Performs a single secure connection negotiation step. It is called multiple times until the negotiation finishes or aborts.

Definition at line 211 of file PeerConnector.cc.

References Ssl::VerifyCallbackParameters::At(), Security::Connect(), DBG_IMPORTANT, debugs, fd_table, Security::IoResult::ioSuccess, Comm::IsConnOpen(), and Must.

◆ negotiateSsl()

void Security::PeerConnector::negotiateSsl ( )

Definition at line 451 of file PeerConnector.cc.

References CallJobHere.

◆ NegotiateSsl()

void Security::PeerConnector::NegotiateSsl ( int  fd,
void *  data 

Definition at line 441 of file PeerConnector.cc.

◆ noteNegotiationDone()

void Security::BlindPeerConnector::noteNegotiationDone ( ErrorState error)

On success, stores the used TLS session for later use. On error, informs the peer.

Reimplemented from Security::PeerConnector.

Definition at line 67 of file BlindPeerConnector.cc.

References debugs, error(), fd_table, and Security::MaybeGetSessionResumeData().

◆ noteNegotiationError()

void Security::PeerConnector::noteNegotiationError ( const Security::ErrorDetailPointer detail)

◆ noteWantRead()

void Security::PeerConnector::noteWantRead ( )

Called when the openSSL SSL_connect fnction request more data from the remote SSL server. Sets the read timeout and sets the Squid COMM_SELECT_READ handler.

Definition at line 458 of file PeerConnector.cc.

References COMM_SELECT_READ, commSetConnTimeout(), Security::PeerConnector::commTimeoutHandler(), debugs, Comm::IsConnOpen(), JobCallback, Comm::MortalReadTimeout(), Must, and Comm::SetSelect().

◆ noteWantWrite()

void Security::PeerConnector::noteWantWrite ( )

Called when the openSSL SSL_connect function needs to write data to the remote SSL server. Sets the Squid COMM_SELECT_WRITE handler.

Reimplemented in Ssl::PeekingPeerConnector.

Definition at line 476 of file PeerConnector.cc.

References COMM_SELECT_WRITE, debugs, Comm::IsConnOpen(), Must, and Comm::SetSelect().

Referenced by Ssl::PeekingPeerConnector::checkForPeekAndSpliceMatched(), and Ssl::PeekingPeerConnector::noteWantWrite().

◆ recordNegotiationDetails()

void Security::PeerConnector::recordNegotiationDetails ( )

Called after negotiation finishes to record connection details for logging

Definition at line 191 of file PeerConnector.cc.

References BIO_get_data(), fd_table, Comm::IsConnOpen(), Must, and Ssl::ServerBio::receivedHelloDetails().

◆ resumeNegotiation()

void Security::PeerConnector::resumeNegotiation ( )

Definition at line 737 of file PeerConnector.cc.

References fd_table, Must, SQUID_TLS_ERR_CONNECT, and Ssl::VerifyConnCertificates().

◆ sendSuccess()

void Security::PeerConnector::sendSuccess ( )

Definition at line 521 of file PeerConnector.cc.

References assert, and Comm::IsConnOpen().

◆ serverConnection()

Comm::ConnectionPointer const & Security::PeerConnector::serverConnection ( ) const

Definition at line 138 of file PeerConnector.h.

References Security::PeerConnector::serverConn.

Referenced by getTlsContext().

◆ sslCrtvdCheckForErrors()

Security::CertErrors * Security::PeerConnector::sslCrtvdCheckForErrors ( Ssl::CertValidationResponse const &  resp,
ErrorDetailPointer errDetails 

Checks errors in the cert. validator response against sslproxy_cert_error. The first honored error, if any, is returned via errDetails parameter. The method returns all seen errors except SSL_ERROR_NONE as Security::CertErrors.

Definition at line 383 of file PeerConnector.cc.

References acl_access, Acl::Answer::allowed(), assert, SquidConfig::cert_error, Config, dash_str, debugs, Ssl::CertValidationResponse::errors, ACLChecklist::fastCheck(), fd_table, Comm::IsConnOpen(), Must, CbDataList< C >::push_back_unique(), and ACLFilledChecklist::sslErrors.

◆ sslCrtvdHandleReply()

◆ sslFinalized()

bool Security::PeerConnector::sslFinalized ( )

Called after negotiation has finished. Cleans up TLS/SSL state. Returns false if we are now waiting for the certs validation job. Otherwise, returns true, regardless of negotiation success/failure.

Definition at line 287 of file PeerConnector.cc.

References asyncCallback, DBG_IMPORTANT, debugs, Ssl::CertValidationRequest::domainName, ERR_GATEWAY_FAILURE, Ssl::CertValidationRequest::errors, fd_table, Comm::IsConnOpen(), Must, Http::scInternalServerError, Ssl::CertValidationRequest::ssl, ssl_ex_index_server, ssl_ex_index_ssl_errors, Security::PeerConnector::sslCrtvdHandleReply(), Ssl::CertValidationHelper::Submit(), and Ssl::TheConfig.

◆ start()

void Security::PeerConnector::start ( )

Reimplemented from AsyncJob.

Definition at line 68 of file PeerConnector.cc.

References assert, debugs, ERR_CONNECT_FAIL, fd_table, Comm::IsConnOpen(), Http::scBadGateway, and AsyncJob::start().

◆ Start()

◆ startCertDownloading()

void Security::PeerConnector::startCertDownloading ( SBuf url)

◆ status()

const char * Security::PeerConnector::status ( ) const

for debugging, starts with space

Reimplemented from AsyncJob.

Definition at line 580 of file PeerConnector.cc.

References MemBuf::append(), Packable::appendf(), MemBuf::content(), Comm::IsConnOpen(), MemBuf::reset(), and MemBuf::terminate().

◆ suspendNegotiation()

void Security::PeerConnector::suspendNegotiation ( const Security::IoResult lastError)

Suspends TLS negotiation to download the missing certificates

lastErroran error to handle when resuming negotiations

Definition at line 727 of file PeerConnector.cc.

References debugs, and Must.

◆ swanSong()

void Security::PeerConnector::swanSong ( )

Reimplemented from AsyncJob.

Definition at line 565 of file PeerConnector.cc.

References assert, ERR_GATEWAY_FAILURE, Http::scInternalServerError, and AsyncJob::swanSong().

◆ toCbdata()

virtual void * CbdataParent::toCbdata ( )
pure virtualinherited

Member Data Documentation

◆ al

AccessLogEntryPointer Security::PeerConnector::al

Definition at line 167 of file PeerConnector.h.

◆ callback

AsyncCallback<EncryptorAnswer> Security::PeerConnector::callback

Definition at line 170 of file PeerConnector.h.

◆ certDownloadWait

JobWait<Downloader> Security::PeerConnector::certDownloadWait

Definition at line 216 of file PeerConnector.h.

◆ certsDownloads

unsigned int Security::PeerConnector::certsDownloads

Definition at line 206 of file PeerConnector.h.

◆ closeHandler

AsyncCall::Pointer Security::PeerConnector::closeHandler

Definition at line 200 of file PeerConnector.h.

Referenced by Security::PeerConnector::PeerConnector().

◆ downloadedCerts

Ssl::X509_STACK_Pointer Security::PeerConnector::downloadedCerts

Definition at line 210 of file PeerConnector.h.

◆ id

const InstanceId<AsyncJob> AsyncJob::id

Definition at line 73 of file AsyncJob.h.

◆ inCall

AsyncCall::Pointer AsyncJob::inCall

◆ keyLogger

Security::KeyLogger Security::PeerConnector::keyLogger

Definition at line 198 of file PeerConnector.h.

◆ MaxCertsDownloads

const unsigned int Security::PeerConnector::MaxCertsDownloads = 10

Definition at line 192 of file PeerConnector.h.

◆ MaxNestedDownloads

const unsigned int Security::PeerConnector::MaxNestedDownloads = 3

Definition at line 195 of file PeerConnector.h.

◆ negotiationTimeout

time_t Security::PeerConnector::negotiationTimeout

Definition at line 201 of file PeerConnector.h.

◆ noteFwdPconnUse

bool Security::PeerConnector::noteFwdPconnUse

Definition at line 62 of file PeerConnector.h.

Referenced by FwdState::secureConnectionToPeer().

◆ request

HttpRequestPointer Security::PeerConnector::request

◆ serverConn

Comm::ConnectionPointer Security::PeerConnector::serverConn

◆ started_

bool AsyncJob::started_ = false

Definition at line 83 of file AsyncJob.h.

Referenced by AsyncJob::~AsyncJob(), AsyncJob::callEnd(), and AsyncJob::Start().

◆ startTime

time_t Security::PeerConnector::startTime

Definition at line 202 of file PeerConnector.h.

◆ stopReason

const char* AsyncJob::stopReason

◆ suspendedError_

Security::IoResultPointer Security::PeerConnector::suspendedError_

Definition at line 214 of file PeerConnector.h.

Referenced by Security::PeerConnector::isSuspended().

◆ swanSang_

bool AsyncJob::swanSang_ = false

Definition at line 84 of file AsyncJob.h.

Referenced by AsyncJob::~AsyncJob(), and AsyncJob::callEnd().

◆ typeName

◆ urlsOfMissingCerts

std::queue<SBuf> Security::PeerConnector::urlsOfMissingCerts

Definition at line 205 of file PeerConnector.h.

◆ useCertValidator_

bool Security::PeerConnector::useCertValidator_

whether the certificate validator should bypassed

Definition at line 203 of file PeerConnector.h.

Referenced by Security::PeerConnector::bypassCertValidator().

The documentation for this class was generated from the following files:






Web Site Translations