BlindPeerConnector_8cc_source.html

/*

 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors

 *

 * Squid software is distributed under GPLv2+ license and includes

 * contributions from numerous individuals and organizations.

 * Please see the COPYING and CONTRIBUTORS files for details.

 */


#include "squid.h"

#include "AccessLogEntry.h"

#include "CachePeer.h"

#include "comm/Connection.h"

#include "errorpage.h"

#include "fde.h"

#include "HttpRequest.h"

#include "neighbors.h"

#include "security/BlindPeerConnector.h"

#include "security/NegotiationHistory.h"

#include "SquidConfig.h"


CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerConnector);


Security::FuturePeerContext *


Security::BlindPeerConnector::peerContext() const

{

    const auto peer = serverConnection()->getPeer();

    if (peer && peer->secure.encryptTransport)

        return peer->securityContext();


    return Config.ssl_client.defaultPeerContext;

}


bool


Security::BlindPeerConnector::initialize(Security::SessionPointer &serverSession)

{

    if (!Security::PeerConnector::initialize(serverSession)) {

        debugs(83, 5, "Security::PeerConnector::initialize failed");

        return false;

    }


    const CachePeer *peer = serverConnection()->getPeer();

    if (peer && peer->secure.encryptTransport) {

        assert(peer);


        // NP: domain may be a raw-IP but it is now always set

        assert(!peer->secure.sslDomain.isEmpty());


#if USE_OPENSSL

        // const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor

        SBuf *host = new SBuf(peer->secure.sslDomain);

        SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, host);

        Ssl::setClientSNI(serverSession.get(), host->c_str());


        Security::SetSessionResumeData(serverSession, peer->sslSession);

    } else {

        SBuf *hostName = new SBuf(request->url.host());

        SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, (void*)hostName);

        Ssl::setClientSNI(serverSession.get(), hostName->c_str());

#endif

    }


    debugs(83, 5, "success");

    return true;

}


void


Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error)

{

    auto *peer = serverConnection()->getPeer();


    if (error) {

        debugs(83, 5, "error=" << (void*)error);

        // XXX: FwdState calls NoteOutgoingConnectionSuccess() after an OK TCP connect, but

        // we call noteFailure() if SSL failed afterwards. Is that OK?

        // It is not clear whether we should call noteSuccess()/noteFailure()/etc.

        // based on TCP results, SSL results, or both. And the code is probably not

        // consistent in this aspect across tunnelling and forwarding modules.

        if (peer && peer->secure.encryptTransport)

            peer->noteFailure();

        return;

    }


    if (peer && peer->secure.encryptTransport) {

        const int fd = serverConnection()->fd;

        Security::MaybeGetSessionResumeData(fd_table[fd].ssl, peer->sslSession);

    }

}


Security::BlindPeerConnector::BlindPeerConnector(HttpRequestPointer &aRequest,

        const Comm::ConnectionPointer &aServerConn,

        const AsyncCallback<EncryptorAnswer> &aCallback,

        const AccessLogEntryPointer &alp,

        time_t timeout) :

    AsyncJob("Security::BlindPeerConnector"),

    Security::PeerConnector(aServerConn, aCallback, alp, timeout)

{

    request = aRequest;

}


AccessLogEntry.h

BlindPeerConnector.h

CachePeer.h

Connection.h

HttpRequest.h

NegotiationHistory.h

Config
class SquidConfig Config
Definition SquidConfig.cc:12

SquidConfig.h

error
void error(char *format,...)

assert
#define assert(EX)
Definition assert.h:17

CBDATA_NAMESPACED_CLASS_INIT
#define CBDATA_NAMESPACED_CLASS_INIT(namespace, type)
Definition cbdata.h:333

AsyncCallback
a smart AsyncCall pointer for delivery of future results
Definition AsyncCallbacks.h:32

AsyncJob
Definition AsyncJob.h:32

CachePeer
Definition CachePeer.h:29

CachePeer::securityContext
Security::FuturePeerContext * securityContext()
Definition CachePeer.cc:63

CachePeer::secure
Security::PeerOptions secure
security settings for peer connection
Definition CachePeer.h:219

CachePeer::sslSession
Security::SessionStatePointer sslSession
Definition CachePeer.h:223

Comm::Connection::getPeer
CachePeer * getPeer() const
Definition Connection.cc:110

ErrorState
Definition errorpage.h:89

RefCount< HttpRequest >

SBuf
Definition SBuf.h:94

SBuf::c_str
const char * c_str()
Definition SBuf.cc:516

SBuf::isEmpty
bool isEmpty() const
Definition SBuf.h:435

Security::BlindPeerConnector::noteNegotiationDone
void noteNegotiationDone(ErrorState *) override
Definition BlindPeerConnector.cc:67

Security::BlindPeerConnector::initialize
bool initialize(Security::SessionPointer &) override
Definition BlindPeerConnector.cc:34

Security::BlindPeerConnector::peerContext
FuturePeerContext * peerContext() const override
Definition BlindPeerConnector.cc:24

Security::BlindPeerConnector::BlindPeerConnector
BlindPeerConnector(HttpRequestPointer &aRequest, const Comm::ConnectionPointer &aServerConn, const AsyncCallback< EncryptorAnswer > &aCallback, const AccessLogEntryPointer &alp, time_t timeout=0)
Definition BlindPeerConnector.cc:89

Security::FuturePeerContext
A combination of PeerOptions and the corresponding Context.
Definition PeerOptions.h:155

Security::PeerConnector
Definition PeerConnector.h:49

Security::PeerConnector::initialize
virtual bool initialize(Security::SessionPointer &)
Definition PeerConnector.cc:139

Security::PeerConnector::request
HttpRequestPointer request
peer connection trigger or cause
Definition PeerConnector.h:165

Security::PeerConnector::serverConnection
Comm::ConnectionPointer const & serverConnection() const
mimics FwdState to minimize changes to FwdState::initiate/negotiateSsl
Definition PeerConnector.h:138

Security::PeerOptions::sslDomain
SBuf sslDomain
Definition PeerOptions.h:86

Security::PeerOptions::encryptTransport
bool encryptTransport
whether transport encryption (TLS/SSL) is to be used on connections to the peer
Definition PeerOptions.h:147

SquidConfig::ssl_client
struct SquidConfig::@99 ssl_client

SquidConfig::defaultPeerContext
Security::FuturePeerContext * defaultPeerContext
Definition SquidConfig.h:506

debugs
#define debugs(SECTION, LEVEL, CONTENT)
Definition Stream.h:192

errorpage.h

fde.h

fd_table
#define fd_table
Definition fde.h:189

ssl_ex_index_server
int ssl_ex_index_server

Ssl::setClientSNI
void setClientSNI(SSL *ssl, const char *fqdn)
Definition support.cc:1166

Security
Network/connection security abstraction layer.
Definition Connection.h:34

Security::SetSessionResumeData
void SetSessionResumeData(const Security::SessionPointer &, const Security::SessionStatePointer &)
Definition Session.cc:280

Security::SessionPointer
std::shared_ptr< SSL > SessionPointer
Definition Session.h:53

Security::MaybeGetSessionResumeData
void MaybeGetSessionResumeData(const Security::SessionPointer &, Security::SessionStatePointer &data)
Definition Session.cc:259

neighbors.h

squid.h