A PeerConnector for HTTP origin servers. Capable of SslBumping. More...

#include <PeekingPeerConnector.h>

Inheritance diagram for Ssl::PeekingPeerConnector:
Collaboration diagram for Ssl::PeekingPeerConnector:

Public Types

typedef CbcPointer< AsyncJobPointer
 

Public Member Functions

 PeekingPeerConnector (HttpRequestPointer &aRequest, const Comm::ConnectionPointer &aServerConn, const Comm::ConnectionPointer &aClientConn, AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, const time_t timeout=0)
 
virtual bool initialize (Security::SessionPointer &)
 
virtual Security::ContextPointer getTlsContext ()
 
virtual void noteWantWrite ()
 
virtual void noteNegotiationError (const int result, const int ssl_error, const int ssl_lib_error)
 
virtual void noteNegotiationDone (ErrorState *error)
 
void handleServerCertificate ()
 
void checkForPeekAndSplice ()
 
void checkForPeekAndSpliceDone (allow_t answer)
 Callback function for ssl_bump acl check in step3 SSL bump step. More...
 
void checkForPeekAndSpliceMatched (const Ssl::BumpMode finalMode)
 Handles the final bumping decision. More...
 
Ssl::BumpMode checkForPeekAndSpliceGuess () const
 Guesses the final bumping decision when no ssl_bump rules match. More...
 
void serverCertificateVerified ()
 
bool canBeCalled (AsyncCall &call) const
 whether we can be called More...
 
void callStart (AsyncCall &call)
 
virtual void callEnd ()
 called right after the called job method More...
 
virtual void callException (const std::exception &e)
 called when the job throws during an async call More...
 
virtual void * toCbdata ()=0
 

Static Public Member Functions

static void cbCheckForPeekAndSpliceDone (allow_t answer, void *data)
 A wrapper function for checkForPeekAndSpliceDone for use with acl. More...
 
static Pointer Start (AsyncJob *job)
 starts a freshly created job (i.e., makes the job asynchronous) More...
 

Protected Member Functions

virtual void start ()
 Preps connection and SSL state. Calls negotiate(). More...
 
virtual bool doneAll () const
 whether positive goal has been reached More...
 
virtual void swanSong ()
 
virtual const char * status () const
 internal cleanup; do not call directly More...
 
void commCloseHandler (const CommCloseCbParams &params)
 The comm_close callback handler. More...
 
void connectionClosed (const char *reason)
 Inform us that the connection is closed. Does the required clean-up. More...
 
bool prepareSocket ()
 
void setReadTimeout ()
 
void negotiate ()
 
bool sslFinalized ()
 
void handleNegotiateError (const int result)
 
void noteWantRead ()
 
bool checkForMissingCertificates ()
 
void startCertDownloading (SBuf &url)
 Start downloading procedure for the given URL. More...
 
void certDownloadingDone (SBuf &object, int status)
 Called by Downloader after a certificate object downloaded. More...
 
Comm::ConnectionPointer const & serverConnection () const
 mimics FwdState to minimize changes to FwdState::initiate/negotiateSsl More...
 
void bail (ErrorState *error)
 Return an error to the PeerConnector caller. More...
 
void callBack ()
 
void bypassCertValidator ()
 If called the certificates validator will not used. More...
 
void recordNegotiationDetails ()
 
void deleteThis (const char *aReason)
 
void mustStop (const char *aReason)
 
bool done () const
 the job is destroyed in callEnd() when done() More...
 

Protected Attributes

HttpRequestPointer request
 peer connection trigger or cause More...
 
Comm::ConnectionPointer serverConn
 TCP connection to the peer. More...
 
AccessLogEntryPointer al
 info for the future access.log entry More...
 
AsyncCall::Pointer callback
 we call this with the results More...
 
const char * stopReason
 reason for forcing done() to be true More...
 
const char * typeName
 kid (leaf) class name, for debugging More...
 
AsyncCall::Pointer inCall
 the asynchronous call being handled, if any More...
 
const InstanceId< AsyncJobid
 job identifier More...
 

Private Member Functions

 CBDATA_CLASS (PeekingPeerConnector)
 
void tunnelInsteadOfNegotiating ()
 Inform caller class that the SSL negotiation aborted. More...
 

Private Attributes

Comm::ConnectionPointer clientConn
 TCP connection to the client. More...
 
AsyncCall::Pointer closeHandler
 we call this when the connection closed More...
 
bool splice
 whether we are going to splice or not More...
 
bool resumingSession
 whether it is an SSL resuming session connection More...
 
bool serverCertificateHandled
 whether handleServerCertificate() succeeded More...
 

Detailed Description

Definition at line 20 of file PeekingPeerConnector.h.

Member Typedef Documentation

Definition at line 34 of file AsyncJob.h.

Constructor & Destructor Documentation

Ssl::PeekingPeerConnector::PeekingPeerConnector ( HttpRequestPointer aRequest,
const Comm::ConnectionPointer aServerConn,
const Comm::ConnectionPointer aClientConn,
AsyncCall::Pointer aCallback,
const AccessLogEntryPointer alp,
const time_t  timeout = 0 
)
inline

Definition at line 23 of file PeekingPeerConnector.h.

References Security::PeerConnector::request.

Member Function Documentation

void Security::PeerConnector::bail ( ErrorState error)
protectedinherited
void Security::PeerConnector::bypassCertValidator ( )
inlineprotectedinherited

Definition at line 172 of file PeerConnector.h.

References Security::PeerConnector::useCertValidator_.

void Security::PeerConnector::callBack ( )
protectedinherited

Callback the caller class, and pass the ready to communicate secure connection or an error if PeerConnector failed.

Definition at line 553 of file PeerConnector.cc.

References Security::PeerConnector::CbDialer::answer(), callback, comm_remove_close_handler(), Security::EncryptorAnswer::conn, debugs, AsyncCall::getDialer(), Must, NULL, and ScheduleCallHere.

void AsyncJob::callEnd ( )
virtualinherited
void AsyncJob::callStart ( AsyncCall call)
inherited
bool AsyncJob::canBeCalled ( AsyncCall call) const
inherited

Definition at line 101 of file AsyncJob.cc.

References AsyncCall::cancel(), debugs, HERE(), AsyncJob::inCall, and NULL.

void Ssl::PeekingPeerConnector::cbCheckForPeekAndSpliceDone ( allow_t  answer,
void *  data 
)
static

Definition at line 29 of file PeekingPeerConnector.cc.

References CallJobHere1, and checkForPeekAndSpliceDone().

Referenced by checkForPeekAndSplice().

Ssl::PeekingPeerConnector::CBDATA_CLASS ( PeekingPeerConnector  )
private
void Security::PeerConnector::certDownloadingDone ( SBuf object,
int  status 
)
protectedinherited
bool Security::PeerConnector::checkForMissingCertificates ( )
protectedinherited

Run the certificates list sent by the SSL server and check if there are missing certificates. Adds to the urlOfMissingCerts list the URLS of missing certificates if this information provided by the issued certificates with Authority Info Access extension.

Definition at line 680 of file PeerConnector.cc.

References BIO_get_data(), Security::CertList, debugs, fd_table, Ssl::missingChainCertificatesUrls(), Downloader::nestedLevel(), and request().

void Ssl::PeekingPeerConnector::checkForPeekAndSplice ( )
void Ssl::PeekingPeerConnector::checkForPeekAndSpliceDone ( allow_t  answer)

Definition at line 37 of file PeekingPeerConnector.cc.

References allow_t::allowed(), and allow_t::kind.

Referenced by cbCheckForPeekAndSpliceDone().

Ssl::BumpMode Ssl::PeekingPeerConnector::checkForPeekAndSpliceGuess ( ) const

Definition at line 114 of file PeekingPeerConnector.cc.

References Ssl::bumpBump, Ssl::bumpSplice, Ssl::bumpStare, debugs, and request().

void Ssl::PeekingPeerConnector::checkForPeekAndSpliceMatched ( const Ssl::BumpMode  finalMode)
void Security::PeerConnector::commCloseHandler ( const CommCloseCbParams params)
protectedinherited
void Security::PeerConnector::connectionClosed ( const char *  reason)
protectedinherited

Definition at line 78 of file PeerConnector.cc.

References callback, debugs, and NULL.

void AsyncJob::deleteThis ( const char *  aReason)
protectedinherited
bool AsyncJob::done ( ) const
protectedinherited

Definition at line 90 of file AsyncJob.cc.

References AsyncJob::doneAll(), NULL, and AsyncJob::stopReason.

Referenced by AsyncJob::callEnd(), and Downloader::downloadFinished().

bool Security::PeerConnector::doneAll ( ) const
protectedvirtualinherited

Reimplemented from AsyncJob.

Definition at line 51 of file PeerConnector.cc.

References callback, and AsyncJob::doneAll().

Security::ContextPointer Ssl::PeekingPeerConnector::getTlsContext ( )
virtual

Must implemented by the kid classes to return the TLS context object to use for building the encryption context objects.

Implements Security::PeerConnector.

Definition at line 131 of file PeekingPeerConnector.cc.

References Config, SquidConfig::ssl_client, and SquidConfig::sslContext.

void Security::PeerConnector::handleNegotiateError ( const int  result)
protectedinherited

Called when the negotiation step aborted because data needs to be transferred to/from server or on error. In the first case setups the appropriate Comm::SetSelect handler. In second case fill an error and report to the PeerConnector caller.

Definition at line 384 of file PeerConnector.cc.

References DBG_IMPORTANT, debugs, fd_table, and Must.

void Ssl::PeekingPeerConnector::handleServerCertificate ( )

Updates associated client connection manager members if the server certificate was received from the server.

Definition at line 321 of file PeekingPeerConnector.cc.

References fd_table, and request().

void Security::PeerConnector::negotiate ( )
protectedinherited

Performs a single secure connection negotiation step. It is called multiple times untill the negotiation finishes or aborts.

Definition at line 176 of file PeerConnector.cc.

References debugs, fd_table, and Comm::IsConnOpen().

void Ssl::PeekingPeerConnector::noteNegotiationDone ( ErrorState error)
virtual

Called when the SSL negotiation to the server completed and the certificates validated using the cert validator.

Parameters
errorif not NULL the SSL negotiation was aborted with an error

Reimplemented from Security::PeerConnector.

Definition at line 216 of file PeekingPeerConnector.cc.

References clientConn, Ssl::CommonHostName(), debugs, ErrorState::detail, fd_table, Ssl::ErrorDetail::peerCert(), request(), switchToTunnel(), and _request::url.

void Ssl::PeekingPeerConnector::noteNegotiationError ( const int  result,
const int  ssl_error,
const int  ssl_lib_error 
)
virtual

Called when the SSL_connect function aborts with an SSL negotiation error

Parameters
resultthe SSL_connect return code
ssl_errorthe error code returned from the SSL_get_error function
ssl_lib_errorthe error returned from the ERR_Get_Error function

Reimplemented from Security::PeerConnector.

Definition at line 276 of file PeekingPeerConnector.cc.

References BIO_get_data(), Ssl::bumpPeek, Ssl::bumpSplice, Ssl::bumpStare, debugs, Security::ErrorString(), fd_table, Security::PeerConnector::noteNegotiationError(), and ssl_ex_index_ssl_error_detail.

void Security::PeerConnector::noteWantRead ( )
protectedinherited

Called when the openSSL SSL_connect fnction request more data from the remote SSL server. Sets the read timeout and sets the Squid COMM_SELECT_READ handler.

Definition at line 448 of file PeerConnector.cc.

References BIO_get_data(), COMM_SELECT_READ, DBG_IMPORTANT, debugs, fd_table, Ssl::ServerBio::holdRead(), Security::PeerConnector::NegotiateSsl(), and Comm::SetSelect().

void Ssl::PeekingPeerConnector::noteWantWrite ( )
virtual

Called when the openSSL SSL_connect function needs to write data to the remote SSL server. Sets the Squid COMM_SELECT_WRITE handler.

Reimplemented from Security::PeerConnector.

Definition at line 259 of file PeekingPeerConnector.cc.

References BIO_get_data(), Ssl::bumpPeek, Ssl::bumpStare, debugs, fd_table, and Security::PeerConnector::noteWantWrite().

bool Security::PeerConnector::prepareSocket ( )
protectedinherited

Sets up TCP socket-related notification callbacks if things go wrong. If socket already closed return false, else install the comm_close handler to monitor the socket.

Definition at line 86 of file PeerConnector.cc.

References comm_add_close_handler(), Security::PeerConnector::commCloseHandler(), debugs, fd_table, Comm::IsConnOpen(), and JobCallback.

void Security::PeerConnector::recordNegotiationDetails ( )
protectedinherited

Called after negotiation finishes to record connection details for logging

Definition at line 158 of file PeerConnector.cc.

References BIO_get_data(), and fd_table.

void Ssl::PeekingPeerConnector::serverCertificateVerified ( )

Runs after the server certificate verified to update client connection manager members

Definition at line 343 of file PeekingPeerConnector.cc.

References Ssl::CommonHostName(), debugs, fd_table, and request().

Comm::ConnectionPointer const& Security::PeerConnector::serverConnection ( ) const
inlineprotectedinherited
void Security::PeerConnector::setReadTimeout ( )
protectedinherited

Sets the read timeout to avoid getting stuck while reading from a silent server

Definition at line 144 of file PeerConnector.cc.

References commSetConnTimeout(), Config, max(), min(), SquidConfig::read, squid_curtime, and SquidConfig::Timeout.

bool Security::PeerConnector::sslFinalized ( )
protectedinherited

Called after negotiation has finished. Cleans up TLS/SSL state. Returns false if we are now waiting for the certs validation job. Otherwise, returns true, regardless of negotiation success/failure.

Definition at line 223 of file PeerConnector.cc.

References asyncCall(), DBG_IMPORTANT, debugs, Ssl::CertValidationRequest::domainName, ERR_GATEWAY_FAILURE, Ssl::CertValidationRequest::errors, fd_table, Ssl::CertValidationHelper::GetInstance(), request(), Http::scInternalServerError, Ssl::CertValidationRequest::ssl, ssl_ex_index_server, ssl_ex_index_ssl_errors, Security::PeerConnector::sslCrtvdHandleReply(), Ssl::CertValidationHelper::sslSubmit(), and Ssl::TheConfig.

void Security::PeerConnector::start ( )
protectedvirtualinherited

Reimplemented from AsyncJob.

Definition at line 58 of file PeerConnector.cc.

References debugs, and AsyncJob::start().

void Security::PeerConnector::startCertDownloading ( SBuf url)
protectedinherited
const char * Security::PeerConnector::status ( ) const
protectedvirtualinherited

for debugging, starts with space

Reimplemented from AsyncJob.

Definition at line 586 of file PeerConnector.cc.

References MemBuf::append(), Packable::appendf(), buf, MemBuf::content(), NULL, MemBuf::reset(), and MemBuf::terminate().

void Security::PeerConnector::swanSong ( )
protectedvirtualinherited
virtual void* CbdataParent::toCbdata ( )
pure virtualinherited
void Ssl::PeekingPeerConnector::tunnelInsteadOfNegotiating ( )
private

Member Data Documentation

AccessLogEntryPointer Security::PeerConnector::al
protectedinherited

Definition at line 180 of file PeerConnector.h.

AsyncCall::Pointer Security::PeerConnector::callback
protectedinherited

Definition at line 181 of file PeerConnector.h.

Referenced by Security::PeerConnector::PeerConnector().

Comm::ConnectionPointer Ssl::PeekingPeerConnector::clientConn
private

Definition at line 75 of file PeekingPeerConnector.h.

AsyncCall::Pointer Ssl::PeekingPeerConnector::closeHandler
private

Definition at line 76 of file PeekingPeerConnector.h.

const InstanceId<AsyncJob> AsyncJob::id
protectedinherited

Definition at line 70 of file AsyncJob.h.

AsyncCall::Pointer AsyncJob::inCall
protectedinherited
HttpRequestPointer Security::PeerConnector::request
protectedinherited
bool Ssl::PeekingPeerConnector::resumingSession
private

Definition at line 78 of file PeekingPeerConnector.h.

bool Ssl::PeekingPeerConnector::serverCertificateHandled
private

Definition at line 79 of file PeekingPeerConnector.h.

Comm::ConnectionPointer Security::PeerConnector::serverConn
protectedinherited

Definition at line 179 of file PeerConnector.h.

Referenced by Security::PeerConnector::serverConnection().

bool Ssl::PeekingPeerConnector::splice
private

Definition at line 77 of file PeekingPeerConnector.h.

const char* AsyncJob::stopReason
protectedinherited

The documentation for this class was generated from the following files:

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors