A PeerConnector for HTTP origin servers. Capable of SslBumping. More...

#include <PeekingPeerConnector.h>

Inheritance diagram for Ssl::PeekingPeerConnector:
Collaboration diagram for Ssl::PeekingPeerConnector:

Public Types

typedef CbcPointer< PeerConnectorPointer
 

Public Member Functions

 PeekingPeerConnector (HttpRequestPointer &aRequest, const Comm::ConnectionPointer &aServerConn, const Comm::ConnectionPointer &aClientConn, AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, time_t timeout=0)
 
virtual bool initialize (Security::SessionPointer &)
 
virtual Security::ContextPointer getTlsContext ()
 
virtual void noteWantWrite ()
 
virtual void noteNegotiationError (const Security::ErrorDetailPointer &)
 Called when the SSL_connect function aborts with an SSL negotiation error. More...
 
virtual void noteNegotiationDone (ErrorState *error)
 
void handleServerCertificate ()
 
void checkForPeekAndSplice ()
 
void checkForPeekAndSpliceDone (Acl::Answer)
 Callback function for ssl_bump acl check in step3 SSL bump step. More...
 
void checkForPeekAndSpliceMatched (const Ssl::BumpMode finalMode)
 Handles the final bumping decision. More...
 
Ssl::BumpMode checkForPeekAndSpliceGuess () const
 Guesses the final bumping decision when no ssl_bump rules match. More...
 
void serverCertificateVerified ()
 
void startTunneling ()
 Abruptly stops TLS negotiation and starts tunneling. More...
 
bool canBeCalled (AsyncCall &call) const
 whether we can be called More...
 
void callStart (AsyncCall &call)
 
virtual void callEnd ()
 called right after the called job method More...
 
virtual void callException (const std::exception &e)
 called when the job throws during an async call More...
 
void handleStopRequest ()
 process external request to terminate now (i.e. during this async call) More...
 
virtual void * toCbdata ()=0
 

Static Public Member Functions

static void cbCheckForPeekAndSpliceDone (Acl::Answer, void *data)
 A wrapper function for checkForPeekAndSpliceDone for use with acl. More...
 
static void Start (const Pointer &job)
 

Public Attributes

bool noteFwdPconnUse
 hack: whether the connection requires fwdPconnPool->noteUses() More...
 
const InstanceId< AsyncJobid
 job identifier More...
 

Protected Member Functions

virtual void start ()
 Preps connection and SSL state. Calls negotiate(). More...
 
virtual bool doneAll () const
 whether positive goal has been reached More...
 
virtual void swanSong ()
 
virtual const char * status () const
 internal cleanup; do not call directly More...
 
virtual void fillChecklist (ACLFilledChecklist &) const
 configure the given checklist (to reflect the current transaction state) More...
 
void commTimeoutHandler (const CommTimeoutCbParams &)
 The connection read timeout callback handler. More...
 
void commCloseHandler (const CommCloseCbParams &params)
 The comm_close callback handler. More...
 
void negotiate ()
 
bool sslFinalized ()
 
void handleNegotiationResult (const Security::IoResult &)
 Called after each negotiation step to handle the result. More...
 
void noteWantRead ()
 
bool isSuspended () const
 Whether TLS negotiation has been paused and not yet resumed. More...
 
void suspendNegotiation (const Security::IoResult &lastError)
 
void resumeNegotiation ()
 Resumes TLS negotiation paused by suspendNegotiation() More...
 
void handleMissingCertificates (const Security::IoResult &lastError)
 Either initiates fetching of missing certificates or bails with an error. More...
 
void startCertDownloading (SBuf &url)
 Start downloading procedure for the given URL. More...
 
void certDownloadingDone (SBuf &object, int status)
 Called by Downloader after a certificate object downloaded. More...
 
Comm::ConnectionPointer const & serverConnection () const
 mimics FwdState to minimize changes to FwdState::initiate/negotiateSsl More...
 
void bail (ErrorState *error)
 sends the given error to the initiator More...
 
void sendSuccess ()
 sends the encrypted connection to the initiator More...
 
void callBack ()
 a bail(), sendSuccess() helper: sends results to the initiator More...
 
void disconnect ()
 a bail(), sendSuccess() helper: stops monitoring the connection More...
 
void countFailingConnection ()
 updates connection usage history before the connection is closed More...
 
void bypassCertValidator ()
 If called the certificates validator will not used. More...
 
void recordNegotiationDetails ()
 
EncryptorAnswer & answer ()
 convenience method to get to the answer fields More...
 
void deleteThis (const char *aReason)
 
void mustStop (const char *aReason)
 
bool done () const
 the job is destroyed in callEnd() when done() More...
 

Protected Attributes

HttpRequestPointer request
 peer connection trigger or cause More...
 
Comm::ConnectionPointer serverConn
 TCP connection to the peer. More...
 
AccessLogEntryPointer al
 info for the future access.log entry More...
 
AsyncCall::Pointer callback
 we call this with the results More...
 
const char * stopReason
 reason for forcing done() to be true More...
 
const char * typeName
 kid (leaf) class name, for debugging More...
 
AsyncCall::Pointer inCall
 the asynchronous call being handled, if any More...
 
bool started_ = false
 Start() has finished successfully. More...
 
bool swanSang_ = false
 swanSong() was called More...
 

Private Member Functions

 CBDATA_CLASS (PeekingPeerConnector)
 
void tunnelInsteadOfNegotiating ()
 Inform caller class that the SSL negotiation aborted. More...
 
unsigned int certDownloadNestingLevel () const
 the number of concurrent PeerConnector jobs waiting for us More...
 
void sslCrtvdHandleReply (Ssl::CertValidationResponsePointer)
 Process response from cert validator helper. More...
 
Security::CertErrorssslCrtvdCheckForErrors (Ssl::CertValidationResponse const &, ErrorDetailPointer &)
 Check SSL errors returned from cert validator against sslproxy_cert_error access list. More...
 
bool computeMissingCertificateUrls (const Connection &)
 finds URLs of (some) missing intermediate certificates or returns false More...
 
void negotiateSsl ()
 Comm::SetSelect() callback. Direct calls tickle/resume negotiations. More...
 

Static Private Member Functions

static void NegotiateSsl (int fd, void *data)
 A wrapper for Comm::SetSelect() notifications. More...
 

Private Attributes

Comm::ConnectionPointer clientConn
 TCP connection to the client. More...
 
AsyncCall::Pointer closeHandler
 we call this when the connection closed More...
 
bool splice
 whether we are going to splice or not More...
 
bool serverCertificateHandled
 whether handleServerCertificate() succeeded More...
 
Security::KeyLogger keyLogger
 managers logging of the being-established TLS connection secrets More...
 
time_t negotiationTimeout
 the SSL connection timeout to use More...
 
time_t startTime
 when the peer connector negotiation started More...
 
bool useCertValidator_
 
std::queue< SBufurlsOfMissingCerts
 The list of URLs where missing certificates should be downloaded. More...
 
unsigned int certsDownloads
 the number of downloaded missing certificates More...
 
Ssl::X509_STACK_Pointer downloadedCerts
 successfully downloaded intermediate certificates (omitted by the peer) More...
 
Security::IoResultPointer suspendedError_
 outcome of the last (failed and) suspended negotiation attempt (or nil) More...
 
JobWait< DownloadercertDownloadWait
 waits for the missing certificate to be downloaded More...
 

Static Private Attributes

static const unsigned int MaxCertsDownloads = 10
 The maximum number of missing certificates a single PeerConnector may download. More...
 
static const unsigned int MaxNestedDownloads = 3
 The maximum number of inter-dependent Downloader jobs a worker may initiate. More...
 

Detailed Description

Definition at line 20 of file PeekingPeerConnector.h.

Member Typedef Documentation

◆ Pointer

Definition at line 53 of file PeerConnector.h.

Constructor & Destructor Documentation

◆ PeekingPeerConnector()

Ssl::PeekingPeerConnector::PeekingPeerConnector ( HttpRequestPointer aRequest,
const Comm::ConnectionPointer aServerConn,
const Comm::ConnectionPointer aClientConn,
AsyncCall::Pointer aCallback,
const AccessLogEntryPointer alp,
time_t  timeout = 0 
)

Member Function Documentation

◆ answer()

Security::EncryptorAnswer & Security::PeerConnector::answer ( )
protectedinherited

Definition at line 494 of file PeerConnector.cc.

References assert.

◆ bail()

void Security::PeerConnector::bail ( ErrorState error)
protectedinherited

Definition at line 503 of file PeerConnector.cc.

References error(), and Must.

◆ bypassCertValidator()

void Security::PeerConnector::bypassCertValidator ( )
inlineprotectedinherited

Definition at line 166 of file PeerConnector.h.

References Security::PeerConnector::useCertValidator_.

◆ callBack()

void Security::PeerConnector::callBack ( )
protectedinherited

Definition at line 555 of file PeerConnector.cc.

References conn, debugs, NULL, and ScheduleCallHere.

◆ callEnd()

void AsyncJob::callEnd ( )
virtualinherited

◆ callException()

◆ callStart()

void AsyncJob::callStart ( AsyncCall call)
inherited

◆ canBeCalled()

bool AsyncJob::canBeCalled ( AsyncCall call) const
inherited

Definition at line 102 of file AsyncJob.cc.

References AsyncCall::cancel(), debugs, HERE(), AsyncJob::inCall, and NULL.

◆ cbCheckForPeekAndSpliceDone()

void Ssl::PeekingPeerConnector::cbCheckForPeekAndSpliceDone ( Acl::Answer  aclAnswer,
void *  data 
)
static

Definition at line 51 of file PeekingPeerConnector.cc.

References CallJobHere1.

Referenced by checkForPeekAndSplice().

◆ CBDATA_CLASS()

Ssl::PeekingPeerConnector::CBDATA_CLASS ( PeekingPeerConnector  )
private

◆ certDownloadingDone()

void Security::PeerConnector::certDownloadingDone ( SBuf object,
int  status 
)
protectedinherited

◆ certDownloadNestingLevel()

unsigned int Security::PeerConnector::certDownloadNestingLevel ( ) const
privateinherited

Definition at line 622 of file PeerConnector.cc.

References request().

◆ checkForPeekAndSplice()

void Ssl::PeekingPeerConnector::checkForPeekAndSplice ( )

◆ checkForPeekAndSpliceDone()

void Ssl::PeekingPeerConnector::checkForPeekAndSpliceDone ( Acl::Answer  aclAnswer)

Definition at line 59 of file PeekingPeerConnector.cc.

References Acl::Answer::allowed(), and Acl::Answer::kind.

◆ checkForPeekAndSpliceGuess()

Ssl::BumpMode Ssl::PeekingPeerConnector::checkForPeekAndSpliceGuess ( ) const

Definition at line 129 of file PeekingPeerConnector.cc.

References Ssl::bumpBump, Ssl::bumpSplice, Ssl::bumpStare, debugs, and request().

◆ checkForPeekAndSpliceMatched()

◆ commCloseHandler()

void Security::PeerConnector::commCloseHandler ( const CommCloseCbParams params)
protectedinherited

◆ commTimeoutHandler()

void Security::PeerConnector::commTimeoutHandler ( const CommTimeoutCbParams )
protectedinherited

◆ computeMissingCertificateUrls()

bool Security::PeerConnector::computeMissingCertificateUrls ( const Connection sconn)
privateinherited

Definition at line 730 of file PeerConnector.cc.

References assert, debugs, and Ssl::missingChainCertificatesUrls().

◆ countFailingConnection()

void Security::PeerConnector::countFailingConnection ( )
protectedinherited

◆ deleteThis()

void AsyncJob::deleteThis ( const char *  aReason)
protectedinherited

◆ disconnect()

void Security::PeerConnector::disconnect ( )
protectedinherited

◆ done()

bool AsyncJob::done ( ) const
protectedinherited

◆ doneAll()

bool Security::PeerConnector::doneAll ( ) const
protectedvirtualinherited

Reimplemented from AsyncJob.

Definition at line 62 of file PeerConnector.cc.

References AsyncJob::doneAll().

◆ fillChecklist()

void Security::PeerConnector::fillChecklist ( ACLFilledChecklist ) const
protectedvirtualinherited

◆ getTlsContext()

Security::ContextPointer Ssl::PeekingPeerConnector::getTlsContext ( )
virtual

Must implemented by the kid classes to return the TLS context object to use for building the encryption context objects.

Implements Security::PeerConnector.

Definition at line 146 of file PeekingPeerConnector.cc.

References Config, SquidConfig::ssl_client, and SquidConfig::sslContext.

◆ handleMissingCertificates()

void Security::PeerConnector::handleMissingCertificates ( const Security::IoResult lastError)
protectedinherited

◆ handleNegotiationResult()

◆ handleServerCertificate()

void Ssl::PeekingPeerConnector::handleServerCertificate ( )

Updates associated client connection manager members if the server certificate was received from the server.

Definition at line 373 of file PeekingPeerConnector.cc.

References fd_table, and request().

◆ handleStopRequest()

void AsyncJob::handleStopRequest ( )
inlineinherited

Definition at line 71 of file AsyncJob.h.

References AsyncJob::mustStop().

◆ initialize()

◆ isSuspended()

bool Security::PeerConnector::isSuspended ( ) const
inlineprotectedinherited

Definition at line 111 of file PeerConnector.h.

References Security::PeerConnector::suspendedError_.

◆ mustStop()

◆ negotiate()

void Security::PeerConnector::negotiate ( )
protectedinherited

Performs a single secure connection negotiation step. It is called multiple times until the negotiation finishes or aborts.

Definition at line 207 of file PeerConnector.cc.

References Ssl::VerifyCallbackParameters::At(), Security::Connect(), DBG_IMPORTANT, debugs, fd_table, Security::IoResult::ioSuccess, Comm::IsConnOpen(), and Must.

◆ negotiateSsl()

void Security::PeerConnector::negotiateSsl ( )
privateinherited

Definition at line 446 of file PeerConnector.cc.

References CallJobHere.

◆ NegotiateSsl()

void Security::PeerConnector::NegotiateSsl ( int  fd,
void *  data 
)
staticprivateinherited

Definition at line 436 of file PeerConnector.cc.

◆ noteNegotiationDone()

void Ssl::PeekingPeerConnector::noteNegotiationDone ( ErrorState )
virtual

Called when the SSL negotiation to the server completed and the certificates validated using the cert validator.

Parameters
errorif not NULL the SSL negotiation was aborted with an error

Reimplemented from Security::PeerConnector.

Definition at line 227 of file PeekingPeerConnector.cc.

References Ssl::CommonHostName(), debugs, ERR_GATEWAY_FAILURE, error(), fd_table, Here, Comm::IsConnOpen(), request(), Http::scInternalServerError, and _request::url.

◆ noteNegotiationError()

◆ noteWantRead()

void Security::PeerConnector::noteWantRead ( )
protectedinherited

Called when the openSSL SSL_connect fnction request more data from the remote SSL server. Sets the read timeout and sets the Squid COMM_SELECT_READ handler.

Definition at line 453 of file PeerConnector.cc.

References COMM_SELECT_READ, commSetConnTimeout(), Security::PeerConnector::commTimeoutHandler(), debugs, Comm::IsConnOpen(), JobCallback, Comm::MortalReadTimeout(), Must, and Comm::SetSelect().

◆ noteWantWrite()

void Ssl::PeekingPeerConnector::noteWantWrite ( )
virtual

Called when the openSSL SSL_connect function needs to write data to the remote SSL server. Sets the Squid COMM_SELECT_WRITE handler.

Reimplemented from Security::PeerConnector.

Definition at line 294 of file PeekingPeerConnector.cc.

References BIO_get_data(), Ssl::ServerBio::bumpMode(), Ssl::bumpPeek, Ssl::bumpStare, debugs, fd_table, Ssl::ServerBio::holdWrite(), and Security::PeerConnector::noteWantWrite().

◆ recordNegotiationDetails()

void Security::PeerConnector::recordNegotiationDetails ( )
protectedinherited

Called after negotiation finishes to record connection details for logging

Definition at line 187 of file PeerConnector.cc.

References BIO_get_data(), fd_table, Comm::IsConnOpen(), Must, and Ssl::ServerBio::receivedHelloDetails().

◆ resumeNegotiation()

void Security::PeerConnector::resumeNegotiation ( )
protectedinherited

Definition at line 759 of file PeerConnector.cc.

References fd_table, Must, SQUID_TLS_ERR_CONNECT, and Ssl::VerifyConnCertificates().

◆ sendSuccess()

void Security::PeerConnector::sendSuccess ( )
protectedinherited

Definition at line 518 of file PeerConnector.cc.

References assert, and Comm::IsConnOpen().

◆ serverCertificateVerified()

void Ssl::PeekingPeerConnector::serverCertificateVerified ( )

◆ serverConnection()

Comm::ConnectionPointer const& Security::PeerConnector::serverConnection ( ) const
inlineprotectedinherited

◆ sslCrtvdCheckForErrors()

Security::CertErrors * Security::PeerConnector::sslCrtvdCheckForErrors ( Ssl::CertValidationResponse const &  resp,
ErrorDetailPointer errDetails 
)
privateinherited

Checks errors in the cert. validator response against sslproxy_cert_error. The first honored error, if any, is returned via errDetails parameter. The method returns all seen errors except SSL_ERROR_NONE as Security::CertErrors.

Definition at line 378 of file PeerConnector.cc.

References acl_access, Acl::Answer::allowed(), assert, SquidConfig::cert_error, Config, dash_str, debugs, Ssl::CertValidationResponse::errors, ACLChecklist::fastCheck(), fd_table, Comm::IsConnOpen(), Must, NULL, CbDataList< C >::push_back_unique(), request(), SquidConfig::ssl_client, and ACLFilledChecklist::sslErrors.

◆ sslCrtvdHandleReply()

◆ sslFinalized()

bool Security::PeerConnector::sslFinalized ( )
protectedinherited

Called after negotiation has finished. Cleans up TLS/SSL state. Returns false if we are now waiting for the certs validation job. Otherwise, returns true, regardless of negotiation success/failure.

Definition at line 282 of file PeerConnector.cc.

References asyncCall(), DBG_IMPORTANT, debugs, Ssl::CertValidationRequest::domainName, ERR_GATEWAY_FAILURE, Ssl::CertValidationRequest::errors, fd_table, Comm::IsConnOpen(), Must, NULL, request(), Http::scInternalServerError, Ssl::CertValidationRequest::ssl, ssl_ex_index_server, ssl_ex_index_ssl_errors, Security::PeerConnector::sslCrtvdHandleReply(), Ssl::CertValidationHelper::Submit(), and Ssl::TheConfig.

◆ start()

void Security::PeerConnector::start ( )
protectedvirtualinherited

Reimplemented from AsyncJob.

Definition at line 69 of file PeerConnector.cc.

References assert, debugs, ERR_CONNECT_FAIL, fd_table, Comm::IsConnOpen(), request(), Http::scBadGateway, and AsyncJob::start().

◆ Start()

◆ startCertDownloading()

void Security::PeerConnector::startCertDownloading ( SBuf url)
protectedinherited

◆ startTunneling()

void Ssl::PeekingPeerConnector::startTunneling ( )

Definition at line 274 of file PeekingPeerConnector.cc.

References BIO_get_data(), debugs, fd_table, request(), and switchToTunnel().

◆ status()

const char * Security::PeerConnector::status ( ) const
protectedvirtualinherited

for debugging, starts with space

Reimplemented from AsyncJob.

Definition at line 582 of file PeerConnector.cc.

References MemBuf::append(), Packable::appendf(), MemBuf::content(), Comm::IsConnOpen(), NULL, MemBuf::reset(), and MemBuf::terminate().

◆ suspendNegotiation()

void Security::PeerConnector::suspendNegotiation ( const Security::IoResult lastError)
protectedinherited

Suspends TLS negotiation to download the missing certificates

Parameters
lastErroran error to handle when resuming negotiations

Definition at line 749 of file PeerConnector.cc.

References debugs, and Must.

◆ swanSong()

void Security::PeerConnector::swanSong ( )
protectedvirtualinherited

Reimplemented from AsyncJob.

Definition at line 567 of file PeerConnector.cc.

References assert, ERR_GATEWAY_FAILURE, request(), Http::scInternalServerError, and AsyncJob::swanSong().

◆ toCbdata()

virtual void* CbdataParent::toCbdata ( )
pure virtualinherited

◆ tunnelInsteadOfNegotiating()

void Ssl::PeekingPeerConnector::tunnelInsteadOfNegotiating ( )
private

Member Data Documentation

◆ al

AccessLogEntryPointer Security::PeerConnector::al
protectedinherited

Definition at line 177 of file PeerConnector.h.

◆ callback

AsyncCall::Pointer Security::PeerConnector::callback
protectedinherited

Definition at line 178 of file PeerConnector.h.

Referenced by Security::PeerConnector::PeerConnector().

◆ certDownloadWait

JobWait<Downloader> Security::PeerConnector::certDownloadWait
privateinherited

Definition at line 223 of file PeerConnector.h.

◆ certsDownloads

unsigned int Security::PeerConnector::certsDownloads
privateinherited

Definition at line 213 of file PeerConnector.h.

◆ clientConn

Comm::ConnectionPointer Ssl::PeekingPeerConnector::clientConn
private

Definition at line 69 of file PeekingPeerConnector.h.

◆ closeHandler

AsyncCall::Pointer Ssl::PeekingPeerConnector::closeHandler
private

Definition at line 70 of file PeekingPeerConnector.h.

◆ downloadedCerts

Ssl::X509_STACK_Pointer Security::PeerConnector::downloadedCerts
privateinherited

Definition at line 217 of file PeerConnector.h.

◆ id

const InstanceId<AsyncJob> AsyncJob::id
inherited

Definition at line 73 of file AsyncJob.h.

◆ inCall

AsyncCall::Pointer AsyncJob::inCall
protectedinherited

◆ keyLogger

Security::KeyLogger Security::PeerConnector::keyLogger
privateinherited

Definition at line 205 of file PeerConnector.h.

◆ MaxCertsDownloads

const unsigned int Security::PeerConnector::MaxCertsDownloads = 10
staticprivateinherited

Definition at line 199 of file PeerConnector.h.

◆ MaxNestedDownloads

const unsigned int Security::PeerConnector::MaxNestedDownloads = 3
staticprivateinherited

Definition at line 202 of file PeerConnector.h.

◆ negotiationTimeout

time_t Security::PeerConnector::negotiationTimeout
privateinherited

Definition at line 208 of file PeerConnector.h.

◆ noteFwdPconnUse

bool Security::PeerConnector::noteFwdPconnUse
inherited

Definition at line 72 of file PeerConnector.h.

Referenced by FwdState::secureConnectionToPeer().

◆ request

HttpRequestPointer Security::PeerConnector::request
protectedinherited

◆ serverCertificateHandled

bool Ssl::PeekingPeerConnector::serverCertificateHandled
private

Definition at line 72 of file PeekingPeerConnector.h.

◆ serverConn

Comm::ConnectionPointer Security::PeerConnector::serverConn
protectedinherited

◆ splice

bool Ssl::PeekingPeerConnector::splice
private

Definition at line 71 of file PeekingPeerConnector.h.

◆ started_

bool AsyncJob::started_ = false
protectedinherited

Definition at line 83 of file AsyncJob.h.

Referenced by AsyncJob::~AsyncJob(), AsyncJob::callEnd(), and AsyncJob::Start().

◆ startTime

time_t Security::PeerConnector::startTime
privateinherited

Definition at line 209 of file PeerConnector.h.

◆ stopReason

const char* AsyncJob::stopReason
protectedinherited

◆ suspendedError_

Security::IoResultPointer Security::PeerConnector::suspendedError_
privateinherited

Definition at line 221 of file PeerConnector.h.

Referenced by Security::PeerConnector::isSuspended().

◆ swanSang_

bool AsyncJob::swanSang_ = false
protectedinherited

Definition at line 84 of file AsyncJob.h.

Referenced by AsyncJob::~AsyncJob(), and AsyncJob::callEnd().

◆ typeName

◆ urlsOfMissingCerts

std::queue<SBuf> Security::PeerConnector::urlsOfMissingCerts
privateinherited

Definition at line 212 of file PeerConnector.h.

◆ useCertValidator_

bool Security::PeerConnector::useCertValidator_
privateinherited

whether the certificate validator should bypassed

Definition at line 210 of file PeerConnector.h.

Referenced by Security::PeerConnector::bypassCertValidator().


The documentation for this class was generated from the following files:

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors