Support for slow ssl_bump ACLs

Allow slow ACLs with ssl_bump option in squid.conf to enable destination
domain (and possibly other) slow ACL checks.

=== modified file 'src/ClientRequestContext.h'
--- src/ClientRequestContext.h	2010-11-21 09:24:35 +0000
+++ src/ClientRequestContext.h	2011-05-06 14:03:01 +0000
@@ -36,6 +36,16 @@
     void adaptationAccessCheck();
     void adaptationAclCheckDone(Adaptation::ServiceGroupPointer g);
 #endif
+#if USE_SSL
+    /**
+     * Initiates and start the acl checklist to check if the a CONNECT
+     * request must be bumped.
+     \retval true if the acl check scheduled, false if no ssl-bump required
+     */
+    bool sslBumpAccessCheck();
+    /// The callback function for ssl-bump access check list
+    void sslBumpAccessCheckDone(bool doSslBump);
+#endif
 
     ClientHttpRequest *http;
     ACLChecklist *acl_checklist;        /* need ptr back so we can unreg if needed */
@@ -51,6 +61,9 @@
     bool interpreted_req_hdrs;
     bool tosToClientDone;
     bool nfmarkToClientDone;
+#if USE_SSL
+    bool sslBumpCheckDone;
+#endif
 
 private:
     CBDATA_CLASS(ClientRequestContext);

=== modified file 'src/client_side_request.cc'
--- src/client_side_request.cc	2011-03-30 09:02:51 +0000
+++ src/client_side_request.cc	2011-05-06 17:46:28 +0000
@@ -112,6 +112,9 @@
 /* Local functions */
 /* other */
 static void clientAccessCheckDoneWrapper(int, void *);
+#if USE_SSL
+static void sslBumpAccessCheckDoneWrapper(int, void *);
+#endif
 static int clientHierarchical(ClientHttpRequest * http);
 static void clientInterpretRequestHeaders(ClientHttpRequest * http);
 static RH clientRedirectDoneWrapper;
@@ -140,6 +143,9 @@
     redirect_done = false;
     no_cache_done = false;
     interpreted_req_hdrs = false;
+#if USE_SSL
+    sslBumpCheckDone = false;
+#endif
     debugs(85,3, HERE << this << " ClientRequestContext constructed");
 }
 
@@ -173,6 +179,9 @@
 #if USE_ADAPTATION
     request_satisfaction_mode = false;
 #endif
+#if USE_SSL
+    sslBumpNeed = needUnknown;
+#endif
 }
 
 /*
@@ -1111,6 +1120,46 @@
     http->doCallouts();
 }
 
+#if USE_SSL
+bool
+ClientRequestContext::sslBumpAccessCheck()
+{
+    if (http->request->method == METHOD_CONNECT &&
+        Config.accessList.ssl_bump && http->getConn()->port->sslBump) {
+        debugs(85, 5, HERE << "SslBump possible, checking ACL");
+
+        ACLFilledChecklist *acl_checklist = clientAclChecklistCreate(Config.accessList.ssl_bump, http);
+        acl_checklist->nonBlockingCheck(sslBumpAccessCheckDoneWrapper, this);
+        return true;
+    }
+    else {
+        http->sslBumpNeeded(false);
+        return false;
+    }
+}
+
+/** 
+ * A wrapper function to use the ClientRequestContext::sslBumpAccessCheckDone method
+ * as ACLFilledChecklist callback
+ */
+static void
+sslBumpAccessCheckDoneWrapper(int answer, void *data)
+{
+    ClientRequestContext *calloutContext = static_cast<ClientRequestContext *>(data);
+
+    if (!calloutContext->httpStateIsValid())
+        return;
+    calloutContext->sslBumpAccessCheckDone(answer == ACCESS_ALLOWED);
+}
+
+void
+ClientRequestContext::sslBumpAccessCheckDone(bool doSslBump)
+{
+    http->sslBumpNeeded(doSslBump);
+    http->doCallouts();
+}
+#endif
+
 /*
  * Identify requests that do not go through the store and client side stream
  * and forward them to the appropriate location. All other requests, request
@@ -1155,19 +1204,18 @@
 
 #if USE_SSL
 
-// determines whether we should bump the CONNECT request
 bool
 ClientHttpRequest::sslBumpNeeded() const
 {
-    if (!getConn()->port->sslBump || !Config.accessList.ssl_bump)
-        return false;
-
-    debugs(85, 5, HERE << "SslBump possible, checking ACL");
-
-    ACLFilledChecklist check(Config.accessList.ssl_bump, request, NULL);
-    check.src_addr = request->client_addr;
-    check.my_addr = request->my_addr;
-    return check.fastCheck() == 1;
+    assert(sslBumpNeed != needUnknown);
+    return (sslBumpNeed == needConfirmed);
+}
+
+void
+ClientHttpRequest::sslBumpNeeded(bool isNeeded)
+{
+    debugs(83, 3, HERE << "sslBump required: "<< (isNeeded ? "Yes" : "No"));
+    sslBumpNeed = (isNeeded ? needConfirmed : needNot);
 }
 
 // called when comm_write has completed
@@ -1368,6 +1416,13 @@
         }
     }
 
+    if (!calloutContext->sslBumpCheckDone) {
+        calloutContext->sslBumpCheckDone = true;
+        if (calloutContext->sslBumpAccessCheck())
+            return;
+        /* else no ssl bump required*/
+    }
+
     cbdataReferenceDone(calloutContext->http);
     delete calloutContext;
     calloutContext = NULL;

=== modified file 'src/client_side_request.h'
--- src/client_side_request.h	2011-03-30 08:46:08 +0000
+++ src/client_side_request.h	2011-05-06 17:25:21 +0000
@@ -149,8 +149,14 @@
     ConnStateData * conn_;
 
 #if USE_SSL
+    /// whether the request needs to be bumped
+    enum { needUnknown,  needConfirmed,  needNot } sslBumpNeed;
+
 public:
+    /// return true if the request needs to be bumped
     bool sslBumpNeeded() const;
+    /// set the sslBumpNeeded state
+    void sslBumpNeeded(bool isNeeded);
     void sslBumpStart();
     void sslBumpEstablish(comm_err_t errflag);
 #endif