[squid-dev] [PATCH] PeerConnector shuffling to libsecurity
Amos Jeffries
squid3 at treenet.co.nz
Fri Apr 22 15:05:46 UTC 2016
On 15/04/2016 5:27 a.m., Alex Rousskov wrote:
> On 04/14/2016 06:23 AM, Amos Jeffries wrote:
>> This patch shuffles the Ssl::PeerConnector to Security::TlsPeerEncryptor
>> and Ssl::BlindPeerConnector to Security::BlindTlsPeerEncryptor.
>
> I have already given up on fighting you about pointless and inconsistent
> SSL/TLS/Security renames, but please at least do not nest layers until
> we actually need that nesting: Use either Security::PeerEncryptor or
> TlsPeerEncryptor, not Security::TlsPeerEncryptor. I recommend
> Security::PeerEncryptor because the API users do not care much about the
> protocol being used.
>
Okay, dropped the "Tls" part.
>
>> +#elif USE_GNUTLS
>> + // XXX: no GnuTLS support for cert validation helper yet
>> +#endif
> ...
>> +#elif USE_GNUTLS
>> + // TODO
>> +#endif
> ...
>
> I object to ongoing pollution of innocent code with USE_GNUTLS that
> cannot be used: Having to deal with USE_OPENSSL is bad enough. Please do
> not quadruple the problem by adding [unused] #USE_GNUTLS everywhere!
>
>> +#if USE_OPENSSL
>> if (serverConnection()->getPeer() && !SSL_session_reused(ssl)) {
> ...
>> +#elif USE_GNUTLS
>> + if (serverConnection()->getPeer() && !gnutls_session_is_resumed(ssl)) {
>> +#endif
>
> The above is just one of many examples of how GnuTLS support should
> _not_ be introduced. The above code should look like this:
>
> if (serverConnection()->getPeer() && ssl->resumedSession())
> ...
>
> or, at the very least, like this:
>
> if (serverConnection()->getPeer() && !session_is_resumed(ssl))
> ...
>
> No duplication of logic, no constant thinking of what API each library
> uses, no #ifdefs, and no invasive predictions about what GnuTLS code
> will need when GnuTLS support is actually added. If you are not ready to
> add GnuTLS support the right way, please do not add GnuTLS support at all!
>
> The "wrong way to move towards GnuTLS support" problem discussed above
> is the biggest problem with the proposed patch that I can see. Please do
> not commit until that problem is resolved.
>
>
>> This shuffling is a required step to simplify converting the basic TLS
>> I/O logic to libsecurity and for GnuTLS to actually begin adding useful
>> implementation bits.
>
> This required step was done in the wrong direction IMO: The proposed
> patch adds a dozen new "#if USE_"s. If we are moving "basic TLS I/O
> logic to libsecurity", then we should be reducing the number of ifdefs,
> not increasing them. Is this is a necessary pain to see some beautiful
> results in the future? Should not we wait with the pain until that
> future becomes a reality so that we can judge whether it is worth the pain?
>
Sorry. The empty ones were supposed to go before submission. Removed in
this patch.
>
>> -#if USE_OPENSSL
>> - /// Gives PeerConnector access to Answer in the TunnelStateData callback dialer.
>> - class MyAnswerDialer: public CallDialer, public Ssl::PeerConnector::CbDialer
>> +#if USE_OPENSSL || USE_GNUTLS
>> + /// Gives Securit::TlsPeerEncryptor access to Answer in the TunnelStateData callback dialer.
>> + class MyAnswerDialer: public CallDialer, public Security::TlsPeerEncryptor::CbDialer
>
> I understand why MyAnswerDialer was wrapped in USE_OPENSSL before -- it
> was using an Ssl::PeerConnector, and stuff in src/ssl/ is not generic.
> However, now, it is using Security::TlsPeerEncryptor and src/security
> API is supposed to be OpenSSL-neutral. Can we remove USE_OPENSSL from
> this (and possibly some other) tunnel.cc parts now instead of adding
> USE_GNUTLS?
>
Done. I was going to do that later when the I/O stuff was ready. But it
can be done now.
>
>> -class IcapPeerConnector: public PeerConnector {
>> +class IcapPeerConnector: public Security::TlsPeerEncryptor {
>
> Why was not this class renamed as well?
>
I am not moving it out of the Ssl namespace in this patch, and it still
contains OpenSSL specific code lines dealing with the session re-use. So
left the rename to happen later when that is cleared up in a followup patch.
>
>> -Ssl::CreateClient(Security::ContextPtr sslContext, const int fd, const char *squidCtx)
>> -{
>> - return SslCreate(sslContext, fd, Ssl::Bio::BIO_TO_SERVER, squidCtx);
>> -}
>
> That function seemed like a perfect pair for the CreateServer() which
> you did not remove. Why introduce such inconsistency and bother callers
> with such ugly details as BIO_TO_SERVER constants?
>
These are being replaced by the *Options class createContext() method.
But this one did not really need doing this early. So reverted.
>
>> - theName.termedBuf(),static_cast<int64_t>(theSize), xstrerr(savedError));
>> + theName.termedBuf(), static_cast<int64_t>(theSize), xstrerr(savedError));
>
> Out-of-scope formatting change.
>
Weird. Not sure where that came from. Reverted.
>
>> - if (!Comm::IsConnOpen(serverConnection()) || fd_table[serverConnection()->fd].closing())
>> + if (!Comm::IsConnOpen(serverConnection()))
>
> Out-of-scope optimization(?) change.
This is to avoid unused variable warning/errors in the non-OpenSSL
builds while also ensuring that the available stack variables are
consistent across all builds.
>
>> - if (request != NULL)
>> + if (request)
>
> Out-of-scope code style change.
Reverted and one or two others.
New patch attached.
Amos
-------------- next part --------------
=== modified file 'src/FwdState.cc'
--- src/FwdState.cc 2016-03-12 20:27:35 +0000
+++ src/FwdState.cc 2016-04-18 08:06:05 +0000
@@ -45,9 +45,9 @@
#include "pconn.h"
#include "PeerPoolMgr.h"
#include "PeerSelectState.h"
+#include "security/BlindPeerEncryptor.h"
#include "SquidConfig.h"
#include "SquidTime.h"
-#include "ssl/BlindPeerConnector.h"
#include "ssl/PeekingPeerConnector.h"
#include "Store.h"
#include "StoreClient.h"
@@ -79,7 +79,7 @@
CBDATA_CLASS_INIT(FwdState);
#if USE_OPENSSL
-class FwdStatePeerAnswerDialer: public CallDialer, public Ssl::PeerConnector::CbDialer
+class FwdStatePeerAnswerDialer: public CallDialer, public Security::PeerEncryptor::CbDialer
{
public:
typedef void (FwdState::*Method)(Security::EncryptorAnswer &);
@@ -94,7 +94,7 @@
os << '(' << fwd_.get() << ", " << answer_ << ')';
}
- /* Ssl::PeerConnector::CbDialer API */
+ /* Security::PeerEncryptor::CbDialer API */
virtual Security::EncryptorAnswer &answer() { return answer_; }
private:
@@ -700,11 +700,11 @@
FwdStatePeerAnswerDialer(&FwdState::connectedToPeer, this));
// Use positive timeout when less than one second is left.
const time_t sslNegotiationTimeout = max(static_cast<time_t>(1), timeLeft());
- Ssl::PeerConnector *connector = NULL;
+ Security::PeerEncryptor *connector = nullptr;
if (request->flags.sslPeek)
connector = new Ssl::PeekingPeerConnector(requestPointer, serverConnection(), clientConn, callback, al, sslNegotiationTimeout);
else
- connector = new Ssl::BlindPeerConnector(requestPointer, serverConnection(), callback, al, sslNegotiationTimeout);
+ connector = new Security::BlindPeerEncryptor(requestPointer, serverConnection(), callback, al, sslNegotiationTimeout);
AsyncJob::Start(connector); // will call our callback
return;
}
=== modified file 'src/PeerPoolMgr.cc'
--- src/PeerPoolMgr.cc 2016-02-02 15:39:23 +0000
+++ src/PeerPoolMgr.cc 2016-04-18 08:06:05 +0000
@@ -7,6 +7,7 @@
*/
#include "squid.h"
+#include "AccessLogEntry.h"
#include "base/AsyncJobCalls.h"
#include "base/RunnersRegistry.h"
#include "CachePeer.h"
@@ -20,25 +21,23 @@
#include "neighbors.h"
#include "pconn.h"
#include "PeerPoolMgr.h"
+#include "security/BlindPeerEncryptor.h"
#include "SquidConfig.h"
#include "SquidTime.h"
-#include "ssl/BlindPeerConnector.h"
CBDATA_CLASS_INIT(PeerPoolMgr);
-#if USE_OPENSSL
-/// Gives Ssl::PeerConnector access to Answer in the PeerPoolMgr callback dialer.
+/// Gives Security::PeerEncryptor access to Answer in the PeerPoolMgr callback dialer.
class MyAnswerDialer: public UnaryMemFunT<PeerPoolMgr, Security::EncryptorAnswer, Security::EncryptorAnswer&>,
- public Ssl::PeerConnector::CbDialer
+ public Security::PeerEncryptor::CbDialer
{
public:
MyAnswerDialer(const JobPointer &aJob, Method aMethod):
UnaryMemFunT<PeerPoolMgr, Security::EncryptorAnswer, Security::EncryptorAnswer&>(aJob, aMethod, Security::EncryptorAnswer()) {}
- /* Ssl::PeerConnector::CbDialer API */
+ /* Security::PeerEncryptor::CbDialer API */
virtual Security::EncryptorAnswer &answer() { return arg1; }
};
-#endif
PeerPoolMgr::PeerPoolMgr(CachePeer *aPeer): AsyncJob("PeerPoolMgr"),
peer(cbdataReference(aPeer)),
@@ -109,8 +108,7 @@
Must(params.conn != NULL);
-#if USE_OPENSSL
- // Handle SSL peers.
+ // Handle TLS encrypted peers.
if (peer->secure.encryptTransport) {
typedef CommCbMemFunT<PeerPoolMgr, CommCloseCbParams> CloserDialer;
closer = JobCallback(48, 3, CloserDialer, this,
@@ -125,14 +123,10 @@
const int timeUsed = squid_curtime - params.conn->startTime();
// Use positive timeout when less than one second is left for conn.
const int timeLeft = max(1, (peerTimeout - timeUsed));
- Ssl::BlindPeerConnector *connector =
- new Ssl::BlindPeerConnector(request, params.conn, securer, NULL, timeLeft);
- AsyncJob::Start(connector); // will call our callback
- return;
- }
-#endif
-
- pushNewConnection(params.conn);
+ auto *encryptor = new Security::BlindPeerEncryptor(request, params.conn, securer, nullptr, timeLeft);
+ AsyncJob::Start(encryptor); // will call our callback
+ } else
+ pushNewConnection(params.conn);
}
void
=== modified file 'src/PeerPoolMgr.h'
--- src/PeerPoolMgr.h 2016-01-01 00:12:18 +0000
+++ src/PeerPoolMgr.h 2016-04-18 08:06:05 +0000
@@ -51,7 +51,7 @@
/// Comm::ConnOpener calls this when done opening a connection for us
void handleOpenedConnection(const CommConnectCbParams ¶ms);
- /// Ssl::PeerConnector callback
+ /// Security::PeerEncryptor callback
void handleSecuredPeer(Security::EncryptorAnswer &answer);
/// called when the connection we are trying to secure is closed by a 3rd party
=== modified file 'src/adaptation/icap/Xaction.cc'
--- src/adaptation/icap/Xaction.cc 2016-02-02 15:39:23 +0000
+++ src/adaptation/icap/Xaction.cc 2016-04-22 13:13:59 +0000
@@ -34,22 +34,22 @@
#include "SquidTime.h"
#if USE_OPENSSL
-/// Gives Ssl::PeerConnector access to Answer in the PeerPoolMgr callback dialer.
+/// Gives Security::PeerEncryptor access to Answer in the PeerPoolMgr callback dialer.
class MyIcapAnswerDialer: public UnaryMemFunT<Adaptation::Icap::Xaction, Security::EncryptorAnswer, Security::EncryptorAnswer&>,
- public Ssl::PeerConnector::CbDialer
+ public Security::PeerEncryptor::CbDialer
{
public:
MyIcapAnswerDialer(const JobPointer &aJob, Method aMethod):
UnaryMemFunT<Adaptation::Icap::Xaction, Security::EncryptorAnswer, Security::EncryptorAnswer&>(aJob, aMethod, Security::EncryptorAnswer()) {}
- /* Ssl::PeerConnector::CbDialer API */
+ /* Security::PeerEncryptor::CbDialer API */
virtual Security::EncryptorAnswer &answer() { return arg1; }
};
namespace Ssl
{
/// A simple PeerConnector for Secure ICAP services. No SslBump capabilities.
-class IcapPeerConnector: public PeerConnector {
+class IcapPeerConnector: public Security::PeerEncryptor {
CBDATA_CLASS(IcapPeerConnector);
public:
IcapPeerConnector(
@@ -59,10 +59,10 @@
AccessLogEntry::Pointer const &alp,
const time_t timeout = 0):
AsyncJob("Ssl::IcapPeerConnector"),
- PeerConnector(aServerConn, aCallback, alp, timeout), icapService(service) {}
+ Security::PeerEncryptor(aServerConn, aCallback, alp, timeout), icapService(service) {}
- /* PeerConnector API */
- virtual Security::SessionPtr initializeSsl();
+ /* Security::PeerEncryptor API */
+ virtual Security::SessionPtr initialize();
virtual void noteNegotiationDone(ErrorState *error);
virtual Security::ContextPtr getSslContext() {return icapService->sslContext;}
@@ -311,7 +311,6 @@
securer = asyncCall(93, 4, "Adaptation::Icap::Xaction::handleSecuredPeer",
MyIcapAnswerDialer(me, &Adaptation::Icap::Xaction::handleSecuredPeer));
- Ssl::PeerConnector::HttpRequestPointer tmpReq(NULL);
Ssl::IcapPeerConnector *sslConnector =
new Ssl::IcapPeerConnector(theService, io.conn, securer, masterLogEntry(), TheConfig.connect_timeout(service().cfg().bypass));
AsyncJob::Start(sslConnector); // will call our callback
@@ -711,9 +710,9 @@
#if USE_OPENSSL
Security::SessionPtr
-Ssl::IcapPeerConnector::initializeSsl()
+Ssl::IcapPeerConnector::initialize()
{
- auto ssl = Ssl::PeerConnector::initializeSsl();
+ auto ssl = Security::PeerEncryptor::initialize();
if (!ssl)
return nullptr;
=== modified file 'src/adaptation/icap/Xaction.h'
--- src/adaptation/icap/Xaction.h 2016-02-23 08:51:22 +0000
+++ src/adaptation/icap/Xaction.h 2016-04-18 15:52:13 +0000
@@ -16,9 +16,7 @@
#include "HttpReply.h"
#include "ipcache.h"
#include "sbuf/SBuf.h"
-#if USE_OPENSSL
-#include "ssl/PeerConnector.h"
-#endif
+#include "security/PeerEncryptor.h"
class MemBuf;
=== renamed file 'src/ssl/BlindPeerConnector.cc' => 'src/security/BlindPeerEncryptor.cc'
--- src/ssl/BlindPeerConnector.cc 2016-01-27 16:56:38 +0000
+++ src/security/BlindPeerEncryptor.cc 2016-04-22 13:12:39 +0000
@@ -9,17 +9,18 @@
#include "squid.h"
#include "CachePeer.h"
#include "comm/Connection.h"
+#include "errorpage.h"
#include "fde.h"
#include "HttpRequest.h"
#include "neighbors.h"
+#include "security/BlindPeerEncryptor.h"
#include "security/NegotiationHistory.h"
#include "SquidConfig.h"
-#include "ssl/BlindPeerConnector.h"
-CBDATA_NAMESPACED_CLASS_INIT(Ssl, BlindPeerConnector);
+CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerEncryptor);
Security::ContextPtr
-Ssl::BlindPeerConnector::getSslContext()
+Security::BlindPeerEncryptor::getSslContext()
{
if (const CachePeer *peer = serverConnection()->getPeer()) {
assert(peer->secure.encryptTransport);
@@ -30,9 +31,9 @@
}
Security::SessionPtr
-Ssl::BlindPeerConnector::initializeSsl()
+Security::BlindPeerEncryptor::initialize()
{
- auto ssl = Ssl::PeerConnector::initializeSsl();
+ auto ssl = Security::PeerEncryptor::initialize();
if (!ssl)
return nullptr;
@@ -42,22 +43,27 @@
// NP: domain may be a raw-IP but it is now always set
assert(!peer->secure.sslDomain.isEmpty());
+#if USE_OPENSSL
// const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor
SBuf *host = new SBuf(peer->secure.sslDomain);
SSL_set_ex_data(ssl, ssl_ex_index_server, host);
if (peer->sslSession)
SSL_set_session(ssl, peer->sslSession);
+#endif
+
} else {
+#if USE_OPENSSL
SBuf *hostName = new SBuf(request->url.host());
SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)hostName);
+#endif
}
return ssl;
}
void
-Ssl::BlindPeerConnector::noteNegotiationDone(ErrorState *error)
+Security::BlindPeerEncryptor::noteNegotiationDone(ErrorState *error)
{
if (error) {
// XXX: forward.cc calls peerConnectSucceeded() after an OK TCP connect but
@@ -70,6 +76,7 @@
return;
}
+#if USE_OPENSSL
const int fd = serverConnection()->fd;
Security::SessionPtr ssl = fd_table[fd].ssl.get();
if (serverConnection()->getPeer() && !SSL_session_reused(ssl)) {
@@ -78,5 +85,6 @@
serverConnection()->getPeer()->sslSession = SSL_get1_session(ssl);
}
+#endif
}
=== renamed file 'src/ssl/BlindPeerConnector.h' => 'src/security/BlindPeerEncryptor.h'
--- src/ssl/BlindPeerConnector.h 2016-02-02 15:39:23 +0000
+++ src/security/BlindPeerEncryptor.h 2016-04-22 13:12:49 +0000
@@ -6,47 +6,46 @@
* Please see the COPYING and CONTRIBUTORS files for details.
*/
-#ifndef SQUID_SRC_SSL_BLINDPEERCONNECTOR_H
-#define SQUID_SRC_SSL_BLINDPEERCONNECTOR_H
-
-#include "ssl/PeerConnector.h"
-
-#if USE_OPENSSL
-
-namespace Ssl
+#ifndef SQUID_SRC_SECURITY_BLINDPEERENCRYPTOR_H
+#define SQUID_SRC_SECURITY_BLINDPEERENCRYPTOR_H
+
+#include "security/PeerEncryptor.h"
+
+class ErrorState;
+
+namespace Security
{
-/// A simple PeerConnector for SSL/TLS cache_peers. No SslBump capabilities.
-class BlindPeerConnector: public PeerConnector {
- CBDATA_CLASS(BlindPeerConnector);
+/// A simple PeerEncryptor for TLS cache_peers. No SslBump capabilities.
+class BlindPeerEncryptor: public Security::PeerEncryptor {
+ CBDATA_CLASS(BlindPeerEncryptor);
public:
- BlindPeerConnector(HttpRequestPointer &aRequest,
- const Comm::ConnectionPointer &aServerConn,
- AsyncCall::Pointer &aCallback,
- const AccessLogEntryPointer &alp,
- const time_t timeout = 0) :
- AsyncJob("Ssl::BlindPeerConnector"),
- PeerConnector(aServerConn, aCallback, alp, timeout)
+ BlindPeerEncryptor(HttpRequestPointer &aRequest,
+ const Comm::ConnectionPointer &aServerConn,
+ AsyncCall::Pointer &aCallback,
+ const AccessLogEntryPointer &alp,
+ const time_t timeout = 0) :
+ AsyncJob("Security::BlindPeerEncryptor"),
+ Security::PeerEncryptor(aServerConn, aCallback, alp, timeout)
{
request = aRequest;
}
- /* PeerConnector API */
+ /* Security::PeerEncryptor API */
- /// Calls parent initializeSSL, configure the created SSL object to try reuse SSL session
- /// and sets the hostname to use for certificates validation
- virtual Security::SessionPtr initializeSsl();
+ /// Calls parent initialize(), configures the created TLS session object
+ /// to try and reuse a TLS session and sets the hostname to use for
+ /// certificate validation
+ virtual Security::SessionPtr initialize();
/// Return the configured Security::ContextPtr object
virtual Security::ContextPtr getSslContext();
- /// On error calls peerConnectFailed function, on success store the used SSL session
- /// for later use
- virtual void noteNegotiationDone(ErrorState *error);
+ /// On error calls peerConnectFailed().
+ /// On success store the used TLS session for later use.
+ virtual void noteNegotiationDone(ErrorState *);
};
-} // namespace Ssl
-
-#endif /* USE_OPENSSL */
-#endif /* SQUID_SRC_SSL_BLINDPEERCONNECTOR_H */
-
+} // namespace Security
+
+#endif /* SQUID_SRC_SECURITY_BLINDPEERENCRYPTOR_H */
=== modified file 'src/security/Makefile.am'
--- src/security/Makefile.am 2016-02-17 21:03:29 +0000
+++ src/security/Makefile.am 2016-04-18 08:06:01 +0000
@@ -13,6 +13,8 @@
noinst_LTLIBRARIES = libsecurity.la
libsecurity_la_SOURCES= \
+ BlindPeerEncryptor.cc \
+ BlindPeerEncryptor.h \
Context.h \
EncryptorAnswer.cc \
EncryptorAnswer.h \
@@ -21,6 +23,8 @@
LockingPointer.h \
NegotiationHistory.cc \
NegotiationHistory.h \
+ PeerEncryptor.cc \
+ PeerEncryptor.h \
PeerOptions.cc \
PeerOptions.h \
ServerOptions.cc \
=== renamed file 'src/ssl/PeerConnector.cc' => 'src/security/PeerEncryptor.cc'
--- src/ssl/PeerConnector.cc 2016-02-13 07:51:20 +0000
+++ src/security/PeerEncryptor.cc 2016-04-22 13:20:31 +0000
@@ -15,15 +15,17 @@
#include "fde.h"
#include "HttpRequest.h"
#include "SquidConfig.h"
+#include "security/PeerEncryptor.h"
+#if USE_OPENSSL
#include "ssl/cert_validate_message.h"
#include "ssl/Config.h"
#include "ssl/helper.h"
-#include "ssl/PeerConnector.h"
-
-CBDATA_NAMESPACED_CLASS_INIT(Ssl, PeerConnector);
-
-Ssl::PeerConnector::PeerConnector(const Comm::ConnectionPointer &aServerConn, AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, const time_t timeout) :
- AsyncJob("Ssl::PeerConnector"),
+#endif
+
+CBDATA_NAMESPACED_CLASS_INIT(Security, PeerEncryptor);
+
+Security::PeerEncryptor::PeerEncryptor(const Comm::ConnectionPointer &aServerConn, AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, const time_t timeout) :
+ AsyncJob("Security::PeerEncryptor"),
serverConn(aServerConn),
al(alp),
callback(aCallback),
@@ -35,75 +37,81 @@
Must(dynamic_cast<CbDialer*>(callback->getDialer()));
}
-Ssl::PeerConnector::~PeerConnector()
+Security::PeerEncryptor::~PeerEncryptor()
{
- debugs(83, 5, "Peer connector " << this << " gone");
+ debugs(83, 5, "Peer encryptor " << this << " gone");
}
-bool Ssl::PeerConnector::doneAll() const
+bool Security::PeerEncryptor::doneAll() const
{
return (!callback || callback->canceled()) && AsyncJob::doneAll();
}
/// Preps connection and SSL state. Calls negotiate().
void
-Ssl::PeerConnector::start()
+Security::PeerEncryptor::start()
{
AsyncJob::start();
- if (prepareSocket() && initializeSsl())
- negotiateSsl();
+ if (prepareSocket() && initialize())
+ negotiate();
}
void
-Ssl::PeerConnector::commCloseHandler(const CommCloseCbParams ¶ms)
+Security::PeerEncryptor::commCloseHandler(const CommCloseCbParams ¶ms)
{
- debugs(83, 5, "FD " << params.fd << ", Ssl::PeerConnector=" << params.data);
- connectionClosed("Ssl::PeerConnector::commCloseHandler");
+ debugs(83, 5, "FD " << params.fd << ", Security::PeerEncryptor=" << params.data);
+ connectionClosed("Security::PeerEncryptor::commCloseHandler");
}
void
-Ssl::PeerConnector::connectionClosed(const char *reason)
+Security::PeerEncryptor::connectionClosed(const char *reason)
{
mustStop(reason);
callback = NULL;
}
bool
-Ssl::PeerConnector::prepareSocket()
+Security::PeerEncryptor::prepareSocket()
{
const int fd = serverConnection()->fd;
if (!Comm::IsConnOpen(serverConn) || fd_table[serverConn->fd].closing()) {
- connectionClosed("Ssl::PeerConnector::prepareSocket");
+ connectionClosed("Security::PeerEncryptor::prepareSocket");
return false;
}
// watch for external connection closures
- typedef CommCbMemFunT<Ssl::PeerConnector, CommCloseCbParams> Dialer;
- closeHandler = JobCallback(9, 5, Dialer, this, Ssl::PeerConnector::commCloseHandler);
+ typedef CommCbMemFunT<Security::PeerEncryptor, CommCloseCbParams> Dialer;
+ closeHandler = JobCallback(9, 5, Dialer, this, Security::PeerEncryptor::commCloseHandler);
comm_add_close_handler(fd, closeHandler);
return true;
}
Security::SessionPtr
-Ssl::PeerConnector::initializeSsl()
+Security::PeerEncryptor::initialize()
{
Security::ContextPtr sslContext(getSslContext());
assert(sslContext);
- const int fd = serverConnection()->fd;
-
- auto ssl = Ssl::CreateClient(sslContext, fd, "server https start");
+#if USE_OPENSSL
+ auto ssl = Ssl::CreateServer(sslContext, serverConnection()->fd, "server https start");
+#else
+ Security::SessionPtr ssl = nullptr;
+#endif
if (!ssl) {
ErrorState *anErr = new ErrorState(ERR_SOCKET_FAILURE, Http::scInternalServerError, request.getRaw());
anErr->xerrno = errno;
+#if USE_OPENSSL
debugs(83, DBG_IMPORTANT, "Error allocating SSL handle: " << ERR_error_string(ERR_get_error(), NULL));
-
+#else
+ debugs(83, DBG_IMPORTANT, "Error allocating SSL handle: SSL not supported");
+#endif
noteNegotiationDone(anErr);
bail(anErr);
return nullptr;
}
+#if USE_OPENSSL
// If CertValidation Helper used do not lookup checklist for errors,
// but keep a list of errors to send it to CertValidator
if (!Ssl::TheConfig.ssl_crt_validator) {
@@ -116,11 +124,13 @@
SSL_set_ex_data(ssl, ssl_ex_index_cert_error_check, check);
}
}
+#endif
+
return ssl;
}
void
-Ssl::PeerConnector::setReadTimeout()
+Security::PeerEncryptor::setReadTimeout()
{
int timeToRead;
if (negotiationTimeout) {
@@ -134,14 +144,20 @@
}
void
-Ssl::PeerConnector::negotiateSsl()
+Security::PeerEncryptor::negotiate()
{
- if (!Comm::IsConnOpen(serverConnection()) || fd_table[serverConnection()->fd].closing())
+ if (!Comm::IsConnOpen(serverConnection()))
return;
const int fd = serverConnection()->fd;
- Security::SessionPtr ssl = fd_table[fd].ssl.get();
- const int result = SSL_connect(ssl);
+ if (fd_table[fd].closing())
+ return;
+
+#if USE_OPENSSL
+ const int result = SSL_connect(fd_table[fd].ssl.get());
+#else
+ const int result = 0;
+#endif
if (result <= 0) {
handleNegotiateError(result);
return; // we might be gone by now
@@ -154,8 +170,9 @@
}
bool
-Ssl::PeerConnector::sslFinalized()
+Security::PeerEncryptor::sslFinalized()
{
+#if USE_OPENSSL
if (Ssl::TheConfig.ssl_crt_validator && useCertValidator_) {
const int fd = serverConnection()->fd;
Security::SessionPtr ssl = fd_table[fd].ssl.get();
@@ -174,7 +191,7 @@
validationRequest.errors = NULL;
try {
debugs(83, 5, "Sending SSL certificate for validation to ssl_crtvd.");
- AsyncCall::Pointer call = asyncCall(83,5, "Ssl::PeerConnector::sslCrtvdHandleReply", Ssl::CertValidationHelper::CbDialer(this, &Ssl::PeerConnector::sslCrtvdHandleReply, nullptr));
+ AsyncCall::Pointer call = asyncCall(83,5, "Security::PeerEncryptor::sslCrtvdHandleReply", Ssl::CertValidationHelper::CbDialer(this, &Security::PeerEncryptor::sslCrtvdHandleReply, nullptr));
Ssl::CertValidationHelper::GetInstance()->sslSubmit(validationRequest, call);
return false;
} catch (const std::exception &e) {
@@ -191,13 +208,15 @@
return true;
}
}
+#endif
noteNegotiationDone(NULL);
return true;
}
+#if USE_OPENSSL
void
-Ssl::PeerConnector::sslCrtvdHandleReply(Ssl::CertValidationResponse::Pointer validationResponse)
+Security::PeerEncryptor::sslCrtvdHandleReply(Ssl::CertValidationResponse::Pointer validationResponse)
{
Must(validationResponse != NULL);
@@ -239,12 +258,14 @@
serverConn->close();
return;
}
+#endif
+#if USE_OPENSSL
/// Checks errors in the cert. validator response against sslproxy_cert_error.
/// The first honored error, if any, is returned via errDetails parameter.
/// The method returns all seen errors except SSL_ERROR_NONE as Ssl::CertErrors.
Ssl::CertErrors *
-Ssl::PeerConnector::sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &resp, Ssl::ErrorDetail *& errDetails)
+Security::PeerEncryptor::sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &resp, Ssl::ErrorDetail *& errDetails)
{
Ssl::CertErrors *errs = NULL;
@@ -296,19 +317,21 @@
return errs;
}
+#endif
/// A wrapper for Comm::SetSelect() notifications.
void
-Ssl::PeerConnector::NegotiateSsl(int, void *data)
+Security::PeerEncryptor::Negotiate(int, void *data)
{
- PeerConnector *pc = static_cast<PeerConnector*>(data);
+ PeerEncryptor *pc = static_cast<Security::PeerEncryptor *>(data);
// Use job calls to add done() checks and other job logic/protections.
- CallJobHere(83, 7, pc, Ssl::PeerConnector, negotiateSsl);
+ CallJobHere(83, 7, pc, Security::PeerEncryptor, negotiate);
}
void
-Ssl::PeerConnector::handleNegotiateError(const int ret)
+Security::PeerEncryptor::handleNegotiateError(const int ret)
{
+#if USE_OPENSSL
const int fd = serverConnection()->fd;
unsigned long ssl_lib_error = SSL_ERROR_NONE;
Security::SessionPtr ssl = fd_table[fd].ssl.get();
@@ -332,29 +355,32 @@
// no special error handling for all other errors
break;
}
- noteSslNegotiationError(ret, ssl_error, ssl_lib_error);
+ noteNegotiationError(ret, ssl_error, ssl_lib_error);
+#endif
}
void
-Ssl::PeerConnector::noteWantRead()
+Security::PeerEncryptor::noteWantRead()
{
setReadTimeout();
const int fd = serverConnection()->fd;
- Comm::SetSelect(fd, COMM_SELECT_READ, &NegotiateSsl, this, 0);
+ Comm::SetSelect(fd, COMM_SELECT_READ, &Negotiate, this, 0);
}
void
-Ssl::PeerConnector::noteWantWrite()
+Security::PeerEncryptor::noteWantWrite()
{
const int fd = serverConnection()->fd;
- Comm::SetSelect(fd, COMM_SELECT_WRITE, &NegotiateSsl, this, 0);
+ Comm::SetSelect(fd, COMM_SELECT_WRITE, &Negotiate, this, 0);
return;
}
void
-Ssl::PeerConnector::noteSslNegotiationError(const int ret, const int ssl_error, const int ssl_lib_error)
+Security::PeerEncryptor::noteNegotiationError(const int ret, const int ssl_error, const int ssl_lib_error)
{
-#ifdef EPROTO
+#if USE_OPENSSL
+
+#if defined(EPROTO)
int sysErrNo = EPROTO;
#else
int sysErrNo = EACCES;
@@ -377,7 +403,7 @@
anErr->xerrno = sysErrNo;
Security::SessionPtr ssl = fd_table[fd].ssl.get();
- Ssl::ErrorDetail *errFromFailure = (Ssl::ErrorDetail *)SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail);
+ Ssl::ErrorDetail *errFromFailure = static_cast<Ssl::ErrorDetail *>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail));
if (errFromFailure != NULL) {
// The errFromFailure is attached to the ssl object
// and will be released when ssl object destroyed.
@@ -395,10 +421,11 @@
noteNegotiationDone(anErr);
bail(anErr);
+#endif
}
void
-Ssl::PeerConnector::bail(ErrorState *error)
+Security::PeerEncryptor::bail(ErrorState *error)
{
Must(error); // or the recepient will not know there was a problem
Must(callback != NULL);
@@ -416,7 +443,7 @@
}
void
-Ssl::PeerConnector::callBack()
+Security::PeerEncryptor::callBack()
{
AsyncCall::Pointer cb = callback;
// Do this now so that if we throw below, swanSong() assert that we _tried_
@@ -433,7 +460,7 @@
}
void
-Ssl::PeerConnector::swanSong()
+Security::PeerEncryptor::swanSong()
{
// XXX: unregister fd-closure monitoring and CommSetSelect interest, if any
AsyncJob::swanSong();
@@ -447,7 +474,7 @@
}
const char *
-Ssl::PeerConnector::status() const
+Security::PeerEncryptor::status() const
{
static MemBuf buf;
buf.reset();
=== renamed file 'src/ssl/PeerConnector.h' => 'src/security/PeerEncryptor.h'
--- src/ssl/PeerConnector.h 2016-02-13 07:51:20 +0000
+++ src/security/PeerEncryptor.h 2016-04-22 13:21:45 +0000
@@ -6,50 +6,51 @@
* Please see the COPYING and CONTRIBUTORS files for details.
*/
-#ifndef SQUID_SRC_SSL_PEERCONNECTOR_H
-#define SQUID_SRC_SSL_PEERCONNECTOR_H
+#ifndef SQUID_SRC_SECURITY_PEERENCRYPTOR_H
+#define SQUID_SRC_SECURITY_PEERENCRYPTOR_H
#include "acl/Acl.h"
#include "base/AsyncCbdataCalls.h"
#include "base/AsyncJob.h"
#include "CommCalls.h"
+#include "http/forward.h"
#include "security/EncryptorAnswer.h"
+#include "security/forward.h"
+#if USE_OPENSSL
#include "ssl/support.h"
+#endif
#include <iosfwd>
-#if USE_OPENSSL
-
-class HttpRequest;
class ErrorState;
class AccessLogEntry;
typedef RefCount<AccessLogEntry> AccessLogEntryPointer;
-namespace Ssl
+namespace Security
{
/**
\par
- * Connects Squid to SSL/TLS-capable peers or services.
- * Contains common code and interfaces of various specialized PeerConnectors,
+ * Initiates encryption on a connection to peers or servers.
+ * Contains common code and interfaces of various specialized PeerEncryptors,
* including peer certificate validation code.
\par
* The caller receives a call back with Security::EncryptorAnswer. If answer.error
- * is not nil, then there was an error and the SSL connection to the SSL peer
+ * is not nil, then there was an error and the encryption to the peer or server
* was not fully established. The error object is suitable for error response
* generation.
\par
* The caller must monitor the connection for closure because this
* job will not inform the caller about such events.
\par
- * PeerConnector class curently supports a form of SSL negotiation timeout,
- * which accounted only when sets the read timeout from SSL peer.
+ * PeerEncryptor class curently supports a form of TLS negotiation timeout,
+ * which is accounted only when sets the read timeout from encrypted peers/servers.
* For a complete solution, the caller must monitor the overall connection
* establishment timeout and close the connection on timeouts. This is probably
* better than having dedicated (or none at all!) timeouts for peer selection,
* DNS lookup, TCP handshake, SSL handshake, etc. Some steps may have their
* own timeout, but not all steps should be forced to have theirs.
- * XXX: tunnel.cc and probably other subsystems does not have an "overall
+ * XXX: tunnel.cc and probably other subsystems do not have an "overall
* connection establishment" timeout. We need to change their code so that they
* start monitoring earlier and close on timeouts. This change may need to be
* discussed on squid-dev.
@@ -57,28 +58,26 @@
* This job never closes the connection, even on errors. If a 3rd-party
* closes the connection, this job simply quits without informing the caller.
*/
-class PeerConnector: virtual public AsyncJob
+class PeerEncryptor: virtual public AsyncJob
{
- CBDATA_CLASS(PeerConnector);
+ CBDATA_CLASS(PeerEncryptor);
public:
- /// Callback dialier API to allow PeerConnector to set the answer.
+ /// Callback dialier API to allow PeerEncryptor to set the answer.
class CbDialer
{
public:
virtual ~CbDialer() {}
- /// gives PeerConnector access to the in-dialer answer
+ /// gives PeerEncryptor access to the in-dialer answer
virtual Security::EncryptorAnswer &answer() = 0;
};
- typedef RefCount<HttpRequest> HttpRequestPointer;
-
public:
- PeerConnector(const Comm::ConnectionPointer &aServerConn,
+ PeerEncryptor(const Comm::ConnectionPointer &aServerConn,
AsyncCall::Pointer &aCallback,
const AccessLogEntryPointer &alp,
const time_t timeout = 0);
- virtual ~PeerConnector();
+ virtual ~PeerEncryptor();
protected:
// AsyncJob API
@@ -102,21 +101,22 @@
/// silent server
void setReadTimeout();
- virtual Security::SessionPtr initializeSsl(); ///< Initializes SSL state
+ /// Initializes encryption state
+ virtual Security::SessionPtr initialize();
/// Performs a single secure connection negotiation step.
- /// It is called multiple times untill the negotiation finish or aborted.
- void negotiateSsl();
+ /// It is called multiple times untill the negotiation finishes or aborts.
+ void negotiate();
- /// Called after SSL negotiations have finished. Cleans up SSL state.
+ /// Called after negotiation has finished. Cleans up TLS/SSL state.
/// Returns false if we are now waiting for the certs validation job.
/// Otherwise, returns true, regardless of negotiation success/failure.
bool sslFinalized();
- /// Called when the SSL negotiation step aborted because data needs to
- /// be transferred to/from SSL server or on error. In the first case
+ /// Called when the negotiation step aborted because data needs to
+ /// be transferred to/from server or on error. In the first case
/// setups the appropriate Comm::SetSelect handler. In second case
- /// fill an error and report to the PeerConnector caller.
+ /// fill an error and report to the PeerEncryptor caller.
void handleNegotiateError(const int result);
/// Called when the openSSL SSL_connect fnction request more data from
@@ -132,7 +132,7 @@
/// \param result the SSL_connect return code
/// \param ssl_error the error code returned from the SSL_get_error function
/// \param ssl_lib_error the error returned from the ERR_Get_Error function
- virtual void noteSslNegotiationError(const int result, const int ssl_error, const int ssl_lib_error);
+ virtual void noteNegotiationError(const int result, const int ssl_error, const int ssl_lib_error);
/// Called when the SSL negotiation to the server completed and the certificates
/// validated using the cert validator.
@@ -140,16 +140,16 @@
virtual void noteNegotiationDone(ErrorState *error) {}
/// Must implemented by the kid classes to return the Security::ContextPtr object to use
- /// for building the SSL objects.
+ /// for building the encryption context objects.
virtual Security::ContextPtr getSslContext() = 0;
/// mimics FwdState to minimize changes to FwdState::initiate/negotiateSsl
Comm::ConnectionPointer const &serverConnection() const { return serverConn; }
- void bail(ErrorState *error); ///< Return an error to the PeerConnector caller
+ void bail(ErrorState *error); ///< Return an error to the PeerEncryptor caller
/// Callback the caller class, and pass the ready to communicate secure
- /// connection or an error if PeerConnector failed.
+ /// connection or an error if PeerEncryptor failed.
void callBack();
/// If called the certificates validator will not used
@@ -160,25 +160,26 @@
AccessLogEntryPointer al; ///< info for the future access.log entry
AsyncCall::Pointer callback; ///< we call this with the results
private:
- PeerConnector(const PeerConnector &); // not implemented
- PeerConnector &operator =(const PeerConnector &); // not implemented
+ PeerEncryptor(const PeerEncryptor &); // not implemented
+ PeerEncryptor &operator =(const PeerEncryptor &); // not implemented
+#if USE_OPENSSL
/// Process response from cert validator helper
void sslCrtvdHandleReply(Ssl::CertValidationResponsePointer);
/// Check SSL errors returned from cert validator against sslproxy_cert_error access list
Ssl::CertErrors *sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &, Ssl::ErrorDetail *&);
+#endif
- /// A wrapper function for negotiateSsl for use with Comm::SetSelect
- static void NegotiateSsl(int fd, void *data);
+ /// A wrapper function for negotiate() for use with Comm::SetSelect
+ static void Negotiate(int fd, void *data);
AsyncCall::Pointer closeHandler; ///< we call this when the connection closed
- time_t negotiationTimeout; ///< the SSL connection timeout to use
- time_t startTime; ///< when the peer connector negotiation started
- bool useCertValidator_; ///< whether the certificate validator should bypassed
+ time_t negotiationTimeout; ///< the encryption timeout to use
+ time_t startTime; ///< when the encryption negotiation started
+ bool useCertValidator_; ///< whether the certificate validator should be bypassed
};
-} // namespace Ssl
+} // namespace Security
-#endif /* USE_OPENSSL */
-#endif /* SQUID_SRC_SSL_PEERCONNECTOR_H */
+#endif /* SQUID_SRC_SECURITY_PEERENCRYPTOR_H */
=== modified file 'src/security/Session.h'
--- src/security/Session.h 2016-02-13 12:12:10 +0000
+++ src/security/Session.h 2016-04-18 08:06:01 +0000
@@ -31,6 +31,10 @@
CtoCpp1(SSL_free, SSL *);
typedef LockingPointer<SSL, Security::SSL_free_cpp, CRYPTO_LOCK_SSL> SessionPointer;
+typedef SSL_SESSION* SessionStatePtr;
+CtoCpp1(SSL_SESSION_free, SSL_SESSION *);
+typedef LockingPointer<SSL_SESSION, Security::SSL_SESSION_free_cpp, CRYPTO_LOCK_SSL_SESSION> SessionStatePointer;
+
#elif USE_GNUTLS
typedef gnutls_session_t SessionPtr;
CtoCpp1(gnutls_deinit, gnutls_session_t);
=== modified file 'src/security/forward.h'
--- src/security/forward.h 2016-01-01 00:12:18 +0000
+++ src/security/forward.h 2016-04-18 08:06:01 +0000
@@ -32,10 +32,6 @@
namespace Security
{
-class EncryptorAnswer;
-class PeerOptions;
-class ServerOptions;
-
#if USE_OPENSSL
CtoCpp1(X509_free, X509 *)
typedef Security::LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> CertPointer;
@@ -65,7 +61,11 @@
typedef void *DhePointer;
#endif
+class EncryptorAnswer;
class KeyData;
+class PeerOptions;
+class ServerOptions;
+class PeerEncryptor;
} // namespace Security
=== modified file 'src/ssl/Makefile.am'
--- src/ssl/Makefile.am 2016-02-01 11:52:03 +0000
+++ src/ssl/Makefile.am 2016-04-18 08:06:02 +0000
@@ -14,8 +14,6 @@
libsslsquid_la_SOURCES = \
bio.cc \
bio.h \
- BlindPeerConnector.cc \
- BlindPeerConnector.h \
cert_validate_message.cc \
cert_validate_message.h \
context_storage.cc \
@@ -28,8 +26,6 @@
ErrorDetailManager.h \
PeekingPeerConnector.cc \
PeekingPeerConnector.h \
- PeerConnector.cc \
- PeerConnector.h \
ProxyCerts.h \
ServerBump.cc \
ServerBump.h \
=== modified file 'src/ssl/PeekingPeerConnector.cc'
--- src/ssl/PeekingPeerConnector.cc 2016-02-13 07:51:20 +0000
+++ src/ssl/PeekingPeerConnector.cc 2016-04-22 13:21:24 +0000
@@ -97,7 +97,7 @@
srvBio->holdWrite(false);
srvBio->recordInput(false);
debugs(83,5, "Retry the fwdNegotiateSSL on FD " << serverConn->fd);
- Ssl::PeerConnector::noteWantWrite();
+ Security::PeerEncryptor::noteWantWrite();
} else {
splice = true;
// Ssl Negotiation stops here. Last SSL checks for valid certificates
@@ -134,9 +134,9 @@
}
Security::SessionPtr
-Ssl::PeekingPeerConnector::initializeSsl()
+Ssl::PeekingPeerConnector::initialize()
{
- auto ssl = Ssl::PeerConnector::initializeSsl();
+ auto ssl = Security::PeerEncryptor::initialize();
if (!ssl)
return nullptr;
@@ -282,11 +282,11 @@
return;
}
- Ssl::PeerConnector::noteWantWrite();
+ Security::PeerEncryptor::noteWantWrite();
}
void
-Ssl::PeekingPeerConnector::noteSslNegotiationError(const int result, const int ssl_error, const int ssl_lib_error)
+Ssl::PeekingPeerConnector::noteNegotiationError(const int result, const int ssl_error, const int ssl_lib_error)
{
const int fd = serverConnection()->fd;
Security::SessionPtr ssl = fd_table[fd].ssl.get();
@@ -327,7 +327,7 @@
}
// else call parent noteNegotiationError to produce an error page
- Ssl::PeerConnector::noteSslNegotiationError(result, ssl_error, ssl_lib_error);
+ Security::PeerEncryptor::noteNegotiationError(result, ssl_error, ssl_lib_error);
}
void
=== modified file 'src/ssl/PeekingPeerConnector.h'
--- src/ssl/PeekingPeerConnector.h 2016-02-12 10:45:47 +0000
+++ src/ssl/PeekingPeerConnector.h 2016-04-22 13:21:35 +0000
@@ -9,7 +9,7 @@
#ifndef SQUID_SRC_SSL_PEEKINGPEERCONNECTOR_H
#define SQUID_SRC_SSL_PEEKINGPEERCONNECTOR_H
-#include "ssl/PeerConnector.h"
+#include "security/PeerEncryptor.h"
#if USE_OPENSSL
@@ -17,7 +17,7 @@
{
/// A PeerConnector for HTTP origin servers. Capable of SslBumping.
-class PeekingPeerConnector: public PeerConnector {
+class PeekingPeerConnector: public Security::PeerEncryptor {
CBDATA_CLASS(PeekingPeerConnector);
public:
PeekingPeerConnector(HttpRequestPointer &aRequest,
@@ -27,7 +27,7 @@
const AccessLogEntryPointer &alp,
const time_t timeout = 0) :
AsyncJob("Ssl::PeekingPeerConnector"),
- PeerConnector(aServerConn, aCallback, alp, timeout),
+ Security::PeerEncryptor(aServerConn, aCallback, alp, timeout),
clientConn(aClientConn),
splice(false),
resumingSession(false),
@@ -36,11 +36,11 @@
request = aRequest;
}
- /* PeerConnector API */
- virtual Security::SessionPtr initializeSsl();
+ /* Security::PeerEncryptor API */
+ virtual Security::SessionPtr initialize();
virtual Security::ContextPtr getSslContext();
virtual void noteWantWrite();
- virtual void noteSslNegotiationError(const int result, const int ssl_error, const int ssl_lib_error);
+ virtual void noteNegotiationError(const int result, const int ssl_error, const int ssl_lib_error);
virtual void noteNegotiationDone(ErrorState *error);
/// Updates associated client connection manager members
=== modified file 'src/ssl/helper.h'
--- src/ssl/helper.h 2016-02-01 11:52:03 +0000
+++ src/ssl/helper.h 2016-04-18 08:06:02 +0000
@@ -12,6 +12,7 @@
#include "base/AsyncJobCalls.h"
#include "base/LruMap.h"
#include "helper/forward.h"
+#include "security/forward.h"
#include "ssl/cert_validate_message.h"
#include "ssl/crtd_message.h"
@@ -39,13 +40,12 @@
};
#endif
-class PeerConnector;
class CertValidationRequest;
class CertValidationResponse;
class CertValidationHelper
{
public:
- typedef UnaryMemFunT<Ssl::PeerConnector, CertValidationResponse::Pointer> CbDialer;
+ typedef UnaryMemFunT<Security::PeerEncryptor, CertValidationResponse::Pointer> CbDialer;
typedef void CVHCB(void *, Ssl::CertValidationResponse const &);
static CertValidationHelper * GetInstance(); ///< Instance class.
=== modified file 'src/tests/stub_libsecurity.cc'
--- src/tests/stub_libsecurity.cc 2016-01-26 21:02:00 +0000
+++ src/tests/stub_libsecurity.cc 2016-04-22 13:21:12 +0000
@@ -7,15 +7,49 @@
*/
#include "squid.h"
+#include "AccessLogEntry.h"
#include "comm/Connection.h"
+#include "HttpRequest.h"
#define STUB_API "security/libsecurity.la"
#include "tests/STUB.h"
+#include "security/BlindPeerEncryptor.h"
+CBDATA_NAMESPACED_CLASS_INIT(Security, BlindPeerEncryptor);
+Security::SessionPtr Security::BlindPeerEncryptor::initialize() STUB_RETVAL(nullptr)
+Security::ContextPtr Security::BlindPeerEncryptor::getSslContext() STUB_RETVAL(nullptr)
+void Security::BlindPeerEncryptor::noteNegotiationDone(ErrorState *) STUB
+
#include "security/EncryptorAnswer.h"
Security::EncryptorAnswer::~EncryptorAnswer() {}
std::ostream &Security::operator <<(std::ostream &os, const Security::EncryptorAnswer &) STUB_RETVAL(os)
+#include "security/PeerEncryptor.h"
+Security::PeerEncryptor::PeerEncryptor(const Comm::ConnectionPointer &, AsyncCall::Pointer &, const AccessLogEntryPointer &, const time_t):
+ AsyncJob("Security::PeerEncryptor"),
+ negotiationTimeout(0),
+ startTime(0),
+ useCertValidator_(false)
+{STUB}
+Security::PeerEncryptor::~PeerEncryptor() {STUB}
+void Security::PeerEncryptor::start() STUB
+bool Security::PeerEncryptor::doneAll() const STUB_RETVAL(true)
+void Security::PeerEncryptor::swanSong() STUB
+const char *Security::PeerEncryptor::status() const STUB_RETVAL("")
+void Security::PeerEncryptor::commCloseHandler(const CommCloseCbParams &) STUB
+void Security::PeerEncryptor::connectionClosed(const char *) STUB
+bool Security::PeerEncryptor::prepareSocket() STUB
+void Security::PeerEncryptor::setReadTimeout() STUB
+Security::SessionPtr Security::PeerEncryptor::initialize() STUB_RETVAL(nullptr)
+void Security::PeerEncryptor::negotiate() STUB
+bool Security::PeerEncryptor::sslFinalized() STUB_RETVAL(false)
+void Security::PeerEncryptor::handleNegotiateError(const int) STUB
+void Security::PeerEncryptor::noteWantRead() STUB
+void Security::PeerEncryptor::noteWantWrite() STUB
+void Security::PeerEncryptor::noteNegotiationError(const int, const int, const int) STUB
+void Security::PeerEncryptor::bail(ErrorState *) STUB
+void Security::PeerEncryptor::callBack() STUB
+
#include "security/PeerOptions.h"
Security::PeerOptions Security::ProxyOutgoingConfig;
void Security::PeerOptions::parse(char const*) STUB
=== modified file 'src/tunnel.cc'
--- src/tunnel.cc 2016-04-03 23:41:58 +0000
+++ src/tunnel.cc 2016-04-19 12:00:39 +0000
@@ -33,9 +33,9 @@
#include "MemBuf.h"
#include "PeerSelectState.h"
#include "sbuf/SBuf.h"
+#include "security/BlindPeerEncryptor.h"
#include "SquidConfig.h"
#include "SquidTime.h"
-#include "ssl/BlindPeerConnector.h"
#include "StatCounters.h"
#if USE_OPENSSL
#include "ssl/bio.h"
@@ -172,9 +172,8 @@
void connectToPeer();
private:
-#if USE_OPENSSL
- /// Gives PeerConnector access to Answer in the TunnelStateData callback dialer.
- class MyAnswerDialer: public CallDialer, public Ssl::PeerConnector::CbDialer
+ /// Gives Security::PeerEncryptor access to Answer in the TunnelStateData callback dialer.
+ class MyAnswerDialer: public CallDialer, public Security::PeerEncryptor::CbDialer
{
public:
typedef void (TunnelStateData::*Method)(Security::EncryptorAnswer &);
@@ -189,7 +188,7 @@
os << '(' << tunnel_.get() << ", " << answer_ << ')';
}
- /* Ssl::PeerConnector::CbDialer API */
+ /* Security::PeerEncryptor::CbDialer API */
virtual Security::EncryptorAnswer &answer() { return answer_; }
private:
@@ -197,7 +196,6 @@
CbcPointer<TunnelStateData> tunnel_;
Security::EncryptorAnswer answer_;
};
-#endif
/// callback handler after connection setup (including any encryption)
void connectedToPeer(Security::EncryptorAnswer &answer);
@@ -1092,19 +1090,16 @@
void
TunnelStateData::connectToPeer()
{
-#if USE_OPENSSL
if (CachePeer *p = server.conn->getPeer()) {
if (p->secure.encryptTransport) {
AsyncCall::Pointer callback = asyncCall(5,4,
"TunnelStateData::ConnectedToPeer",
MyAnswerDialer(&TunnelStateData::connectedToPeer, this));
- Ssl::BlindPeerConnector *connector =
- new Ssl::BlindPeerConnector(request, server.conn, callback, al);
- AsyncJob::Start(connector); // will call our callback
+ auto *encryptor = new Security::BlindPeerEncryptor(request, server.conn, callback, al);
+ AsyncJob::Start(encryptor); // will call our callback
return;
}
}
-#endif
Security::EncryptorAnswer nil;
connectedToPeer(nil);
More information about the squid-dev
mailing list