source: squid-ssl/trunk/fuentes/src/client_side.cc @ 5495

Last change on this file since 5495 was 5495, checked in by Juanma, 23 months ago

Initial release

File size: 181.2 KB
Line 
1/*
2 * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9/* DEBUG: section 33    Client-side Routines */
10
11/**
12 \defgroup ClientSide Client-Side Logics
13 *
14 \section cserrors Errors and client side
15 *
16 \par Problem the first:
17 * the store entry is no longer authoritative on the
18 * reply status. EBITTEST (E_ABORT) is no longer a valid test outside
19 * of client_side_reply.c.
20 * Problem the second: resources are wasted if we delay in cleaning up.
21 * Problem the third we can't depend on a connection close to clean up.
22 *
23 \par Nice thing the first:
24 * Any step in the stream can callback with data
25 * representing an error.
26 * Nice thing the second: once you stop requesting reads from upstream,
27 * upstream can be stopped too.
28 *
29 \par Solution #1:
30 * Error has a callback mechanism to hand over a membuf
31 * with the error content. The failing node pushes that back as the
32 * reply. Can this be generalised to reduce duplicate efforts?
33 * A: Possibly. For now, only one location uses this.
34 * How to deal with pre-stream errors?
35 * Tell client_side_reply that we *want* an error page before any
36 * stream calls occur. Then we simply read as normal.
37 *
38 *
39 \section pconn_logic Persistent connection logic:
40 *
41 \par
42 * requests (httpClientRequest structs) get added to the connection
43 * list, with the current one being chr
44 *
45 \par
46 * The request is *immediately* kicked off, and data flows through
47 * to clientSocketRecipient.
48 *
49 \par
50 * If the data that arrives at clientSocketRecipient is not for the current
51 * request, clientSocketRecipient simply returns, without requesting more
52 * data, or sending it.
53 *
54 \par
55 * ClientKeepAliveNextRequest will then detect the presence of data in
56 * the next ClientHttpRequest, and will send it, restablishing the
57 * data flow.
58 */
59
60#include "squid.h"
61#include "acl/FilledChecklist.h"
62#include "anyp/PortCfg.h"
63#include "base/Subscription.h"
64#include "base/TextException.h"
65#include "CachePeer.h"
66#include "ChunkedCodingParser.h"
67#include "client_db.h"
68#include "client_side.h"
69#include "client_side_reply.h"
70#include "client_side_request.h"
71#include "ClientRequestContext.h"
72#include "clientStream.h"
73#include "comm.h"
74#include "comm/Connection.h"
75#include "comm/Loops.h"
76#include "comm/Read.h"
77#include "comm/TcpAcceptor.h"
78#include "comm/Write.h"
79#include "CommCalls.h"
80#include "errorpage.h"
81#include "fd.h"
82#include "fde.h"
83#include "fqdncache.h"
84#include "FwdState.h"
85#include "globals.h"
86#include "helper.h"
87#include "helper/Reply.h"
88#include "http.h"
89#include "HttpHdrContRange.h"
90#include "HttpHeaderTools.h"
91#include "HttpReply.h"
92#include "HttpRequest.h"
93#include "ident/Config.h"
94#include "ident/Ident.h"
95#include "internal.h"
96#include "ipc/FdNotes.h"
97#include "ipc/StartListening.h"
98#include "log/access_log.h"
99#include "Mem.h"
100#include "MemBuf.h"
101#include "MemObject.h"
102#include "mime_header.h"
103#include "parser/Tokenizer.h"
104#include "profiler/Profiler.h"
105#include "rfc1738.h"
106#include "servers/forward.h"
107#include "SquidConfig.h"
108#include "SquidTime.h"
109#include "StatCounters.h"
110#include "StatHist.h"
111#include "Store.h"
112#include "TimeOrTag.h"
113#include "tools.h"
114#include "URL.h"
115
116#if USE_AUTH
117#include "auth/UserRequest.h"
118#endif
119#if USE_DELAY_POOLS
120#include "ClientInfo.h"
121#endif
122#if USE_OPENSSL
123#include "ssl/bio.h"
124#include "ssl/context_storage.h"
125#include "ssl/gadgets.h"
126#include "ssl/helper.h"
127#include "ssl/ProxyCerts.h"
128#include "ssl/ServerBump.h"
129#include "ssl/support.h"
130#endif
131#if USE_SSL_CRTD
132#include "ssl/certificate_db.h"
133#include "ssl/crtd_message.h"
134#endif
135
136#include <climits>
137#include <cmath>
138#include <limits>
139
140#if LINGERING_CLOSE
141#define comm_close comm_lingering_close
142#endif
143
144/// dials clientListenerConnectionOpened call
145class ListeningStartedDialer: public CallDialer, public Ipc::StartListeningCb
146{
147public:
148    typedef void (*Handler)(AnyP::PortCfgPointer &portCfg, const Ipc::FdNoteId note, const Subscription::Pointer &sub);
149    ListeningStartedDialer(Handler aHandler, AnyP::PortCfgPointer &aPortCfg, const Ipc::FdNoteId note, const Subscription::Pointer &aSub):
150        handler(aHandler), portCfg(aPortCfg), portTypeNote(note), sub(aSub) {}
151
152    virtual void print(std::ostream &os) const {
153        startPrint(os) <<
154                       ", " << FdNote(portTypeNote) << " port=" << (void*)&portCfg << ')';
155    }
156
157    virtual bool canDial(AsyncCall &) const { return true; }
158    virtual void dial(AsyncCall &) { (handler)(portCfg, portTypeNote, sub); }
159
160public:
161    Handler handler;
162
163private:
164    AnyP::PortCfgPointer portCfg;   ///< from HttpPortList
165    Ipc::FdNoteId portTypeNote;    ///< Type of IPC socket being opened
166    Subscription::Pointer sub; ///< The handler to be subscribed for this connetion listener
167};
168
169static void clientListenerConnectionOpened(AnyP::PortCfgPointer &s, const Ipc::FdNoteId portTypeNote, const Subscription::Pointer &sub);
170
171/* our socket-related context */
172
173CBDATA_CLASS_INIT(ClientSocketContext);
174
175/* Local functions */
176static IOCB clientWriteComplete;
177static IOCB clientWriteBodyComplete;
178static IOACB httpAccept;
179#if USE_OPENSSL
180static IOACB httpsAccept;
181#endif
182static CTCB clientLifetimeTimeout;
183#if USE_IDENT
184static IDCB clientIdentDone;
185#endif
186static int clientIsContentLengthValid(HttpRequest * r);
187static int clientIsRequestBodyTooLargeForPolicy(int64_t bodyLength);
188
189static void clientUpdateStatHistCounters(LogTags logType, int svc_time);
190static void clientUpdateStatCounters(LogTags logType);
191static void clientUpdateHierCounters(HierarchyLogEntry *);
192static bool clientPingHasFinished(ping_data const *aPing);
193void prepareLogWithRequestDetails(HttpRequest *, AccessLogEntry::Pointer &);
194static void ClientSocketContextPushDeferredIfNeeded(ClientSocketContext::Pointer deferredRequest, ConnStateData * conn);
195static void clientUpdateSocketStats(LogTags logType, size_t size);
196
197char *skipLeadingSpace(char *aString);
198static void connNoteUseOfBuffer(ConnStateData* conn, size_t byteCount);
199
200clientStreamNode *
201ClientSocketContext::getTail() const
202{
203    if (http->client_stream.tail)
204        return (clientStreamNode *)http->client_stream.tail->data;
205
206    return NULL;
207}
208
209clientStreamNode *
210ClientSocketContext::getClientReplyContext() const
211{
212    return (clientStreamNode *)http->client_stream.tail->prev->data;
213}
214
215ConnStateData *
216ClientSocketContext::getConn() const
217{
218    return http->getConn();
219}
220
221/**
222 * This routine should be called to grow the in.buf and then
223 * call Comm::Read().
224 */
225void
226ConnStateData::readSomeData()
227{
228    if (reading())
229        return;
230
231    debugs(33, 4, HERE << clientConnection << ": reading request...");
232
233    // we can only read if there is more than 1 byte of space free
234    if (Config.maxRequestBufferSize - in.buf.length() < 2)
235        return;
236
237    typedef CommCbMemFunT<ConnStateData, CommIoCbParams> Dialer;
238    reader = JobCallback(33, 5, Dialer, this, ConnStateData::clientReadRequest);
239    Comm::Read(clientConnection, reader);
240}
241
242void
243ClientSocketContext::removeFromConnectionList(ConnStateData * conn)
244{
245    ClientSocketContext::Pointer *tempContextPointer;
246    assert(conn != NULL && cbdataReferenceValid(conn));
247    assert(conn->getCurrentContext() != NULL);
248    /* Unlink us from the connection request list */
249    tempContextPointer = & conn->currentobject;
250
251    while (tempContextPointer->getRaw()) {
252        if (*tempContextPointer == this)
253            break;
254
255        tempContextPointer = &(*tempContextPointer)->next;
256    }
257
258    assert(tempContextPointer->getRaw() != NULL);
259    *tempContextPointer = next;
260    next = NULL;
261}
262
263ClientSocketContext::~ClientSocketContext()
264{
265    clientStreamNode *node = getTail();
266
267    if (node) {
268        ClientSocketContext *streamContext = dynamic_cast<ClientSocketContext *> (node->data.getRaw());
269
270        if (streamContext) {
271            /* We are *always* the tail - prevent recursive free */
272            assert(this == streamContext);
273            node->data = NULL;
274        }
275    }
276
277    if (connRegistered_)
278        deRegisterWithConn();
279
280    httpRequestFree(http);
281
282    /* clean up connection links to us */
283    assert(this != next.getRaw());
284}
285
286void
287ClientSocketContext::registerWithConn()
288{
289    assert (!connRegistered_);
290    assert (http);
291    assert (http->getConn() != NULL);
292    connRegistered_ = true;
293    http->getConn()->addContextToQueue(this);
294}
295
296void
297ClientSocketContext::deRegisterWithConn()
298{
299    assert (connRegistered_);
300    removeFromConnectionList(http->getConn());
301    connRegistered_ = false;
302}
303
304void
305ClientSocketContext::connIsFinished()
306{
307    assert (http);
308    assert (http->getConn() != NULL);
309    deRegisterWithConn();
310    /* we can't handle any more stream data - detach */
311    clientStreamDetach(getTail(), http);
312}
313
314ClientSocketContext::ClientSocketContext(const Comm::ConnectionPointer &aConn, ClientHttpRequest *aReq) :
315    clientConnection(aConn),
316    http(aReq),
317    reply(NULL),
318    next(NULL),
319    writtenToSocket(0),
320    mayUseConnection_ (false),
321    connRegistered_ (false)
322{
323    assert(http != NULL);
324    memset (reqbuf, '\0', sizeof (reqbuf));
325    flags.deferred = 0;
326    flags.parsed_ok = 0;
327    deferredparams.node = NULL;
328    deferredparams.rep = NULL;
329}
330
331void
332ClientSocketContext::writeControlMsg(HttpControlMsg &msg)
333{
334    HttpReply::Pointer rep(msg.reply);
335    Must(rep != NULL);
336
337    // remember the callback
338    cbControlMsgSent = msg.cbSuccess;
339
340    AsyncCall::Pointer call = commCbCall(33, 5, "ClientSocketContext::wroteControlMsg",
341                                         CommIoCbPtrFun(&WroteControlMsg, this));
342
343    getConn()->writeControlMsgAndCall(this, rep.getRaw(), call);
344}
345
346/// called when we wrote the 1xx response
347void
348ClientSocketContext::wroteControlMsg(const Comm::ConnectionPointer &conn, char *, size_t, Comm::Flag errflag, int xerrno)
349{
350    if (errflag == Comm::ERR_CLOSING)
351        return;
352
353    if (errflag == Comm::OK) {
354        ScheduleCallHere(cbControlMsgSent);
355        return;
356    }
357
358    debugs(33, 3, HERE << "1xx writing failed: " << xstrerr(xerrno));
359    // no error notification: see HttpControlMsg.h for rationale and
360    // note that some errors are detected elsewhere (e.g., close handler)
361
362    // close on 1xx errors to be conservative and to simplify the code
363    // (if we do not close, we must notify the source of a failure!)
364    conn->close();
365
366    // XXX: writeControlMsgAndCall() should handle writer-specific writing
367    // results, including errors and then call us with success/failure outcome.
368}
369
370/// wroteControlMsg() wrapper: ClientSocketContext is not an AsyncJob
371void
372ClientSocketContext::WroteControlMsg(const Comm::ConnectionPointer &conn, char *bufnotused, size_t size, Comm::Flag errflag, int xerrno, void *data)
373{
374    ClientSocketContext *context = static_cast<ClientSocketContext*>(data);
375    context->wroteControlMsg(conn, bufnotused, size, errflag, xerrno);
376}
377
378#if USE_IDENT
379static void
380clientIdentDone(const char *ident, void *data)
381{
382    ConnStateData *conn = (ConnStateData *)data;
383    xstrncpy(conn->clientConnection->rfc931, ident ? ident : dash_str, USER_IDENT_SZ);
384}
385#endif
386
387void
388clientUpdateStatCounters(LogTags logType)
389{
390    ++statCounter.client_http.requests;
391
392    if (logTypeIsATcpHit(logType))
393        ++statCounter.client_http.hits;
394
395    if (logType == LOG_TCP_HIT)
396        ++statCounter.client_http.disk_hits;
397    else if (logType == LOG_TCP_MEM_HIT)
398        ++statCounter.client_http.mem_hits;
399}
400
401void
402clientUpdateStatHistCounters(LogTags logType, int svc_time)
403{
404    statCounter.client_http.allSvcTime.count(svc_time);
405    /**
406     * The idea here is not to be complete, but to get service times
407     * for only well-defined types.  For example, we don't include
408     * LOG_TCP_REFRESH_FAIL because its not really a cache hit
409     * (we *tried* to validate it, but failed).
410     */
411
412    switch (logType) {
413
414    case LOG_TCP_REFRESH_UNMODIFIED:
415        statCounter.client_http.nearHitSvcTime.count(svc_time);
416        break;
417
418    case LOG_TCP_INM_HIT:
419    case LOG_TCP_IMS_HIT:
420        statCounter.client_http.nearMissSvcTime.count(svc_time);
421        break;
422
423    case LOG_TCP_HIT:
424
425    case LOG_TCP_MEM_HIT:
426
427    case LOG_TCP_OFFLINE_HIT:
428        statCounter.client_http.hitSvcTime.count(svc_time);
429        break;
430
431    case LOG_TCP_MISS:
432
433    case LOG_TCP_CLIENT_REFRESH_MISS:
434        statCounter.client_http.missSvcTime.count(svc_time);
435        break;
436
437    default:
438        /* make compiler warnings go away */
439        break;
440    }
441}
442
443bool
444clientPingHasFinished(ping_data const *aPing)
445{
446    if (0 != aPing->stop.tv_sec && 0 != aPing->start.tv_sec)
447        return true;
448
449    return false;
450}
451
452void
453clientUpdateHierCounters(HierarchyLogEntry * someEntry)
454{
455    ping_data *i;
456
457    switch (someEntry->code) {
458#if USE_CACHE_DIGESTS
459
460    case CD_PARENT_HIT:
461
462    case CD_SIBLING_HIT:
463        ++ statCounter.cd.times_used;
464        break;
465#endif
466
467    case SIBLING_HIT:
468
469    case PARENT_HIT:
470
471    case FIRST_PARENT_MISS:
472
473    case CLOSEST_PARENT_MISS:
474        ++ statCounter.icp.times_used;
475        i = &someEntry->ping;
476
477        if (clientPingHasFinished(i))
478            statCounter.icp.querySvcTime.count(tvSubUsec(i->start, i->stop));
479
480        if (i->timeout)
481            ++ statCounter.icp.query_timeouts;
482
483        break;
484
485    case CLOSEST_PARENT:
486
487    case CLOSEST_DIRECT:
488        ++ statCounter.netdb.times_used;
489
490        break;
491
492    default:
493        break;
494    }
495}
496
497void
498ClientHttpRequest::updateCounters()
499{
500    clientUpdateStatCounters(logType);
501
502    if (request->errType != ERR_NONE)
503        ++ statCounter.client_http.errors;
504
505    clientUpdateStatHistCounters(logType,
506                                 tvSubMsec(al->cache.start_time, current_time));
507
508    clientUpdateHierCounters(&request->hier);
509}
510
511void
512prepareLogWithRequestDetails(HttpRequest * request, AccessLogEntry::Pointer &aLogEntry)
513{
514    assert(request);
515    assert(aLogEntry != NULL);
516
517    if (Config.onoff.log_mime_hdrs) {
518        Packer p;
519        MemBuf mb;
520        mb.init();
521        packerToMemInit(&p, &mb);
522        request->header.packInto(&p);
523        //This is the request after adaptation or redirection
524        aLogEntry->headers.adapted_request = xstrdup(mb.buf);
525
526        // the virgin request is saved to aLogEntry->request
527        if (aLogEntry->request) {
528            packerClean(&p);
529            mb.reset();
530            packerToMemInit(&p, &mb);
531            aLogEntry->request->header.packInto(&p);
532            aLogEntry->headers.request = xstrdup(mb.buf);
533        }
534
535#if USE_ADAPTATION
536        const Adaptation::History::Pointer ah = request->adaptLogHistory();
537        if (ah != NULL) {
538            packerClean(&p);
539            mb.reset();
540            packerToMemInit(&p, &mb);
541            ah->lastMeta.packInto(&p);
542            aLogEntry->adapt.last_meta = xstrdup(mb.buf);
543        }
544#endif
545
546        packerClean(&p);
547        mb.clean();
548    }
549
550#if ICAP_CLIENT
551    const Adaptation::Icap::History::Pointer ih = request->icapHistory();
552    if (ih != NULL)
553        aLogEntry->icap.processingTime = ih->processingTime();
554#endif
555
556    aLogEntry->http.method = request->method;
557    aLogEntry->http.version = request->http_ver;
558    aLogEntry->hier = request->hier;
559    if (request->content_length > 0) // negative when no body or unknown length
560        aLogEntry->http.clientRequestSz.payloadData += request->content_length; // XXX: actually adaptedRequest payload size ??
561    aLogEntry->cache.extuser = request->extacl_user.termedBuf();
562
563    // Adapted request, if any, inherits and then collects all the stats, but
564    // the virgin request gets logged instead; copy the stats to log them.
565    // TODO: avoid losses by keeping these stats in a shared history object?
566    if (aLogEntry->request) {
567        aLogEntry->request->dnsWait = request->dnsWait;
568        aLogEntry->request->errType = request->errType;
569        aLogEntry->request->errDetail = request->errDetail;
570    }
571}
572
573void
574ClientHttpRequest::logRequest()
575{
576    if (!out.size && !logType)
577        debugs(33, 5, HERE << "logging half-baked transaction: " << log_uri);
578
579    al->icp.opcode = ICP_INVALID;
580    al->url = log_uri;
581    debugs(33, 9, "clientLogRequest: al.url='" << al->url << "'");
582
583    if (al->reply) {
584        al->http.code = al->reply->sline.status();
585        al->http.content_type = al->reply->content_type.termedBuf();
586    } else if (loggingEntry() && loggingEntry()->mem_obj) {
587        al->http.code = loggingEntry()->mem_obj->getReply()->sline.status();
588        al->http.content_type = loggingEntry()->mem_obj->getReply()->content_type.termedBuf();
589    }
590
591    debugs(33, 9, "clientLogRequest: http.code='" << al->http.code << "'");
592
593    if (loggingEntry() && loggingEntry()->mem_obj && loggingEntry()->objectLen() >= 0)
594        al->cache.objectSize = loggingEntry()->contentLen(); // payload duplicate ?? with or without TE ?
595
596    al->http.clientRequestSz.header = req_sz;
597    al->http.clientReplySz.header = out.headers_sz;
598    // XXX: calculate without payload encoding or headers !!
599    al->http.clientReplySz.payloadData = out.size - out.headers_sz; // pretend its all un-encoded data for now.
600
601    al->cache.highOffset = out.offset;
602
603    al->cache.code = logType;
604
605    al->cache.msec = tvSubMsec(al->cache.start_time, current_time);
606
607    if (request)
608        prepareLogWithRequestDetails(request, al);
609
610    if (getConn() != NULL && getConn()->clientConnection != NULL && getConn()->clientConnection->rfc931[0])
611        al->cache.rfc931 = getConn()->clientConnection->rfc931;
612
613#if USE_OPENSSL && 0
614
615    /* This is broken. Fails if the connection has been closed. Needs
616     * to snarf the ssl details some place earlier..
617     */
618    if (getConn() != NULL)
619        al->cache.ssluser = sslGetUserEmail(fd_table[getConn()->fd].ssl);
620
621#endif
622
623    /* Add notes (if we have a request to annotate) */
624    if (request) {
625        // The al->notes and request->notes must point to the same object.
626        (void)SyncNotes(*al, *request);
627        for (Notes::iterator i = Config.notes.begin(); i != Config.notes.end(); ++i) {
628            if (const char *value = (*i)->match(request, al->reply, NULL)) {
629                NotePairs &notes = SyncNotes(*al, *request);
630                notes.add((*i)->key.termedBuf(), value);
631                debugs(33, 3, (*i)->key.termedBuf() << " " << value);
632            }
633        }
634    }
635
636    ACLFilledChecklist checklist(NULL, request, NULL);
637    if (al->reply) {
638        checklist.reply = al->reply;
639        HTTPMSGLOCK(checklist.reply);
640    }
641
642    if (request) {
643        al->adapted_request = request;
644        HTTPMSGLOCK(al->adapted_request);
645    }
646    accessLogLog(al, &checklist);
647
648    bool updatePerformanceCounters = true;
649    if (Config.accessList.stats_collection) {
650        ACLFilledChecklist statsCheck(Config.accessList.stats_collection, request, NULL);
651        if (al->reply) {
652            statsCheck.reply = al->reply;
653            HTTPMSGLOCK(statsCheck.reply);
654        }
655        updatePerformanceCounters = (statsCheck.fastCheck() == ACCESS_ALLOWED);
656    }
657
658    if (updatePerformanceCounters) {
659        if (request)
660            updateCounters();
661
662        if (getConn() != NULL && getConn()->clientConnection != NULL)
663            clientdbUpdate(getConn()->clientConnection->remote, logType, AnyP::PROTO_HTTP, out.size);
664    }
665}
666
667void
668ClientHttpRequest::freeResources()
669{
670    safe_free(uri);
671    safe_free(log_uri);
672    safe_free(redirect.location);
673    range_iter.boundary.clean();
674    HTTPMSGUNLOCK(request);
675
676    if (client_stream.tail)
677        clientStreamAbort((clientStreamNode *)client_stream.tail->data, this);
678}
679
680void
681httpRequestFree(void *data)
682{
683    ClientHttpRequest *http = (ClientHttpRequest *)data;
684    assert(http != NULL);
685    delete http;
686}
687
688bool
689ConnStateData::areAllContextsForThisConnection() const
690{
691    ClientSocketContext::Pointer context = getCurrentContext();
692
693    while (context.getRaw()) {
694        if (context->http->getConn() != this)
695            return false;
696
697        context = context->next;
698    }
699
700    return true;
701}
702
703void
704ConnStateData::freeAllContexts()
705{
706    ClientSocketContext::Pointer context;
707
708    while ((context = getCurrentContext()).getRaw() != NULL) {
709        assert(getCurrentContext() !=
710               getCurrentContext()->next);
711        context->connIsFinished();
712        assert (context != currentobject);
713    }
714}
715
716/// propagates abort event to all contexts
717void
718ConnStateData::notifyAllContexts(int xerrno)
719{
720    typedef ClientSocketContext::Pointer CSCP;
721    for (CSCP c = getCurrentContext(); c.getRaw(); c = c->next)
722        c->noteIoError(xerrno);
723}
724
725/* This is a handler normally called by comm_close() */
726void ConnStateData::connStateClosed(const CommCloseCbParams &io)
727{
728    deleteThis("ConnStateData::connStateClosed");
729}
730
731#if USE_AUTH
732void
733ConnStateData::setAuth(const Auth::UserRequest::Pointer &aur, const char *by)
734{
735    if (auth_ == NULL) {
736        if (aur != NULL) {
737            debugs(33, 2, "Adding connection-auth to " << clientConnection << " from " << by);
738            auth_ = aur;
739        }
740        return;
741    }
742
743    // clobered with self-pointer
744    // NP: something nasty is going on in Squid, but harmless.
745    if (aur == auth_) {
746        debugs(33, 2, "WARNING: Ignoring duplicate connection-auth for " << clientConnection << " from " << by);
747        return;
748    }
749
750    /*
751     * Connection-auth relies on a single set of credentials being preserved
752     * for all requests on a connection once they have been setup.
753     * There are several things which need to happen to preserve security
754     * when connection-auth credentials change unexpectedly or are unset.
755     *
756     * 1) auth helper released from any active state
757     *
758     * They can only be reserved by a handshake process which this
759     * connection can now never complete.
760     * This prevents helpers hanging when their connections close.
761     *
762     * 2) pinning is expected to be removed and server conn closed
763     *
764     * The upstream link is authenticated with the same credentials.
765     * Expecting the same level of consistency we should have received.
766     * This prevents upstream being faced with multiple or missing
767     * credentials after authentication.
768     * NP: un-pin is left to the cleanup in ConnStateData::swanSong()
769     *     we just trigger that cleanup here via comm_reset_close() or
770     *     ConnStateData::stopReceiving()
771     *
772     * 3) the connection needs to close.
773     *
774     * This prevents attackers injecting requests into a connection,
775     * or gateways wrongly multiplexing users into a single connection.
776     *
777     * When credentials are missing closure needs to follow an auth
778     * challenge for best recovery by the client.
779     *
780     * When credentials change there is nothing we can do but abort as
781     * fast as possible. Sending TCP RST instead of an HTTP response
782     * is the best-case action.
783     */
784
785    // clobbered with nul-pointer
786    if (aur == NULL) {
787        debugs(33, 2, "WARNING: Graceful closure on " << clientConnection << " due to connection-auth erase from " << by);
788        auth_->releaseAuthServer();
789        auth_ = NULL;
790        // XXX: need to test whether the connection re-auth challenge is sent. If not, how to trigger it from here.
791        // NP: the current situation seems to fix challenge loops in Safari without visible issues in others.
792        // we stop receiving more traffic but can leave the Job running to terminate after the error or challenge is delivered.
793        stopReceiving("connection-auth removed");
794        return;
795    }
796
797    // clobbered with alternative credentials
798    if (aur != auth_) {
799        debugs(33, 2, "ERROR: Closing " << clientConnection << " due to change of connection-auth from " << by);
800        auth_->releaseAuthServer();
801        auth_ = NULL;
802        // this is a fatal type of problem.
803        // Close the connection immediately with TCP RST to abort all traffic flow
804        comm_reset_close(clientConnection);
805        return;
806    }
807
808    /* NOT REACHABLE */
809}
810#endif
811
812// cleans up before destructor is called
813void
814ConnStateData::swanSong()
815{
816    debugs(33, 2, HERE << clientConnection);
817    flags.readMore = false;
818    DeregisterRunner(this);
819    clientdbEstablished(clientConnection->remote, -1);  /* decrement */
820    assert(areAllContextsForThisConnection());
821    freeAllContexts();
822
823    unpinConnection(true);
824
825    if (Comm::IsConnOpen(clientConnection))
826        clientConnection->close();
827
828#if USE_AUTH
829    // NP: do this bit after closing the connections to avoid side effects from unwanted TCP RST
830    setAuth(NULL, "ConnStateData::SwanSong cleanup");
831#endif
832
833    BodyProducer::swanSong();
834    flags.swanSang = true;
835}
836
837bool
838ConnStateData::isOpen() const
839{
840    return cbdataReferenceValid(this) && // XXX: checking "this" in a method
841           Comm::IsConnOpen(clientConnection) &&
842           !fd_table[clientConnection->fd].closing();
843}
844
845ConnStateData::~ConnStateData()
846{
847    debugs(33, 3, HERE << clientConnection);
848
849    if (isOpen())
850        debugs(33, DBG_IMPORTANT, "BUG: ConnStateData did not close " << clientConnection);
851
852    if (!flags.swanSang)
853        debugs(33, DBG_IMPORTANT, "BUG: ConnStateData was not destroyed properly; " << clientConnection);
854
855    if (bodyPipe != NULL)
856        stopProducingFor(bodyPipe, false);
857
858#if USE_OPENSSL
859    delete sslServerBump;
860#endif
861}
862
863/**
864 * clientSetKeepaliveFlag() sets request->flags.proxyKeepalive.
865 * This is the client-side persistent connection flag.  We need
866 * to set this relatively early in the request processing
867 * to handle hacks for broken servers and clients.
868 */
869void
870clientSetKeepaliveFlag(ClientHttpRequest * http)
871{
872    HttpRequest *request = http->request;
873
874    debugs(33, 3, "http_ver = " << request->http_ver);
875    debugs(33, 3, "method = " << request->method);
876
877    // TODO: move to HttpRequest::hdrCacheInit, just like HttpReply.
878    request->flags.proxyKeepalive = request->persistent();
879}
880
881/// checks body length of non-chunked requests
882static int
883clientIsContentLengthValid(HttpRequest * r)
884{
885    // No Content-Length means this request just has no body, but conflicting
886    // Content-Lengths mean a message framing error (RFC 7230 Section 3.3.3 #4).
887    if (r->header.conflictingContentLength())
888        return 0;
889
890    switch (r->method.id()) {
891
892    case Http::METHOD_GET:
893
894    case Http::METHOD_HEAD:
895        /* We do not want to see a request entity on GET/HEAD requests */
896        return (r->content_length <= 0 || Config.onoff.request_entities);
897
898    default:
899        /* For other types of requests we don't care */
900        return 1;
901    }
902
903    /* NOT REACHED */
904}
905
906int
907clientIsRequestBodyTooLargeForPolicy(int64_t bodyLength)
908{
909    if (Config.maxRequestBodySize &&
910            bodyLength > Config.maxRequestBodySize)
911        return 1;       /* too large */
912
913    return 0;
914}
915
916// careful: the "current" context may be gone if we wrote an early response
917ClientSocketContext::Pointer
918ConnStateData::getCurrentContext() const
919{
920    return currentobject;
921}
922
923void
924ClientSocketContext::deferRecipientForLater(clientStreamNode * node, HttpReply * rep, StoreIOBuffer receivedData)
925{
926    debugs(33, 2, "clientSocketRecipient: Deferring request " << http->uri);
927    assert(flags.deferred == 0);
928    flags.deferred = 1;
929    deferredparams.node = node;
930    deferredparams.rep = rep;
931    deferredparams.queuedBuffer = receivedData;
932    return;
933}
934
935bool
936ClientSocketContext::startOfOutput() const
937{
938    return http->out.size == 0;
939}
940
941size_t
942ClientSocketContext::lengthToSend(Range<int64_t> const &available)
943{
944    /*the size of available range can always fit in a size_t type*/
945    size_t maximum = (size_t)available.size();
946
947    if (!http->request->range)
948        return maximum;
949
950    assert (canPackMoreRanges());
951
952    if (http->range_iter.debt() == -1)
953        return maximum;
954
955    assert (http->range_iter.debt() > 0);
956
957    /* TODO this + the last line could be a range intersection calculation */
958    if (available.start < http->range_iter.currentSpec()->offset)
959        return 0;
960
961    return min(http->range_iter.debt(), (int64_t)maximum);
962}
963
964void
965ClientSocketContext::noteSentBodyBytes(size_t bytes)
966{
967    debugs(33, 7, bytes << " body bytes");
968
969    http->out.offset += bytes;
970
971    if (!http->request->range)
972        return;
973
974    if (http->range_iter.debt() != -1) {
975        http->range_iter.debt(http->range_iter.debt() - bytes);
976        assert (http->range_iter.debt() >= 0);
977    }
978
979    /* debt() always stops at -1, below that is a bug */
980    assert (http->range_iter.debt() >= -1);
981}
982
983bool
984ClientHttpRequest::multipartRangeRequest() const
985{
986    return request->multipartRangeRequest();
987}
988
989bool
990ClientSocketContext::multipartRangeRequest() const
991{
992    return http->multipartRangeRequest();
993}
994
995void
996ClientSocketContext::sendBody(HttpReply * rep, StoreIOBuffer bodyData)
997{
998    assert(rep == NULL);
999
1000    if (!multipartRangeRequest() && !http->request->flags.chunkedReply) {
1001        size_t length = lengthToSend(bodyData.range());
1002        noteSentBodyBytes (length);
1003        AsyncCall::Pointer call = commCbCall(33, 5, "clientWriteBodyComplete",
1004                                             CommIoCbPtrFun(clientWriteBodyComplete, this));
1005        Comm::Write(clientConnection, bodyData.data, length, call, NULL);
1006        return;
1007    }
1008
1009    MemBuf mb;
1010    mb.init();
1011    if (multipartRangeRequest())
1012        packRange(bodyData, &mb);
1013    else
1014        packChunk(bodyData, mb);
1015
1016    if (mb.contentSize()) {
1017        /* write */
1018        AsyncCall::Pointer call = commCbCall(33, 5, "clientWriteComplete",
1019                                             CommIoCbPtrFun(clientWriteComplete, this));
1020        Comm::Write(clientConnection, &mb, call);
1021    }  else
1022        writeComplete(clientConnection, NULL, 0, Comm::OK);
1023}
1024
1025/**
1026 * Packs bodyData into mb using chunked encoding. Packs the last-chunk
1027 * if bodyData is empty.
1028 */
1029void
1030ClientSocketContext::packChunk(const StoreIOBuffer &bodyData, MemBuf &mb)
1031{
1032    const uint64_t length =
1033        static_cast<uint64_t>(lengthToSend(bodyData.range()));
1034    noteSentBodyBytes(length);
1035
1036    mb.Printf("%" PRIX64 "\r\n", length);
1037    mb.append(bodyData.data, length);
1038    mb.Printf("\r\n");
1039}
1040
1041/** put terminating boundary for multiparts */
1042static void
1043clientPackTermBound(String boundary, MemBuf * mb)
1044{
1045    mb->Printf("\r\n--" SQUIDSTRINGPH "--\r\n", SQUIDSTRINGPRINT(boundary));
1046    debugs(33, 6, "clientPackTermBound: buf offset: " << mb->size);
1047}
1048
1049/** appends a "part" HTTP header (as in a multi-part/range reply) to the buffer */
1050static void
1051clientPackRangeHdr(const HttpReply * rep, const HttpHdrRangeSpec * spec, String boundary, MemBuf * mb)
1052{
1053    HttpHeader hdr(hoReply);
1054    Packer p;
1055    assert(rep);
1056    assert(spec);
1057
1058    /* put boundary */
1059    debugs(33, 5, "clientPackRangeHdr: appending boundary: " << boundary);
1060    /* rfc2046 requires to _prepend_ boundary with <crlf>! */
1061    mb->Printf("\r\n--" SQUIDSTRINGPH "\r\n", SQUIDSTRINGPRINT(boundary));
1062
1063    /* stuff the header with required entries and pack it */
1064
1065    if (rep->header.has(HDR_CONTENT_TYPE))
1066        hdr.putStr(HDR_CONTENT_TYPE, rep->header.getStr(HDR_CONTENT_TYPE));
1067
1068    httpHeaderAddContRange(&hdr, *spec, rep->content_length);
1069
1070    packerToMemInit(&p, mb);
1071
1072    hdr.packInto(&p);
1073
1074    packerClean(&p);
1075
1076    hdr.clean();
1077
1078    /* append <crlf> (we packed a header, not a reply) */
1079    mb->Printf("\r\n");
1080}
1081
1082/**
1083 * extracts a "range" from *buf and appends them to mb, updating
1084 * all offsets and such.
1085 */
1086void
1087ClientSocketContext::packRange(StoreIOBuffer const &source, MemBuf * mb)
1088{
1089    HttpHdrRangeIter * i = &http->range_iter;
1090    Range<int64_t> available (source.range());
1091    char const *buf = source.data;
1092
1093    while (i->currentSpec() && available.size()) {
1094        const size_t copy_sz = lengthToSend(available);
1095
1096        if (copy_sz) {
1097            /*
1098             * intersection of "have" and "need" ranges must not be empty
1099             */
1100            assert(http->out.offset < i->currentSpec()->offset + i->currentSpec()->length);
1101            assert(http->out.offset + (int64_t)available.size() > i->currentSpec()->offset);
1102
1103            /*
1104             * put boundary and headers at the beginning of a range in a
1105             * multi-range
1106             */
1107
1108            if (http->multipartRangeRequest() && i->debt() == i->currentSpec()->length) {
1109                assert(http->memObject());
1110                clientPackRangeHdr(
1111                    http->memObject()->getReply(),  /* original reply */
1112                    i->currentSpec(),       /* current range */
1113                    i->boundary,    /* boundary, the same for all */
1114                    mb);
1115            }
1116
1117            /*
1118             * append content
1119             */
1120            debugs(33, 3, "clientPackRange: appending " << copy_sz << " bytes");
1121
1122            noteSentBodyBytes (copy_sz);
1123
1124            mb->append(buf, copy_sz);
1125
1126            /*
1127             * update offsets
1128             */
1129            available.start += copy_sz;
1130
1131            buf += copy_sz;
1132
1133        }
1134
1135        if (!canPackMoreRanges()) {
1136            debugs(33, 3, "clientPackRange: Returning because !canPackMoreRanges.");
1137
1138            if (i->debt() == 0)
1139                /* put terminating boundary for multiparts */
1140                clientPackTermBound(i->boundary, mb);
1141
1142            return;
1143        }
1144
1145        int64_t nextOffset = getNextRangeOffset();
1146
1147        assert (nextOffset >= http->out.offset);
1148
1149        int64_t skip = nextOffset - http->out.offset;
1150
1151        /* adjust for not to be transmitted bytes */
1152        http->out.offset = nextOffset;
1153
1154        if (available.size() <= (uint64_t)skip)
1155            return;
1156
1157        available.start += skip;
1158
1159        buf += skip;
1160
1161        if (copy_sz == 0)
1162            return;
1163    }
1164}
1165
1166/** returns expected content length for multi-range replies
1167 * note: assumes that httpHdrRangeCanonize has already been called
1168 * warning: assumes that HTTP headers for individual ranges at the
1169 *          time of the actuall assembly will be exactly the same as
1170 *          the headers when clientMRangeCLen() is called */
1171int
1172ClientHttpRequest::mRangeCLen()
1173{
1174    int64_t clen = 0;
1175    MemBuf mb;
1176
1177    assert(memObject());
1178
1179    mb.init();
1180    HttpHdrRange::iterator pos = request->range->begin();
1181
1182    while (pos != request->range->end()) {
1183        /* account for headers for this range */
1184        mb.reset();
1185        clientPackRangeHdr(memObject()->getReply(),
1186                           *pos, range_iter.boundary, &mb);
1187        clen += mb.size;
1188
1189        /* account for range content */
1190        clen += (*pos)->length;
1191
1192        debugs(33, 6, "clientMRangeCLen: (clen += " << mb.size << " + " << (*pos)->length << ") == " << clen);
1193        ++pos;
1194    }
1195
1196    /* account for the terminating boundary */
1197    mb.reset();
1198
1199    clientPackTermBound(range_iter.boundary, &mb);
1200
1201    clen += mb.size;
1202
1203    mb.clean();
1204
1205    return clen;
1206}
1207
1208/**
1209 * returns true if If-Range specs match reply, false otherwise
1210 */
1211static int
1212clientIfRangeMatch(ClientHttpRequest * http, HttpReply * rep)
1213{
1214    const TimeOrTag spec = http->request->header.getTimeOrTag(HDR_IF_RANGE);
1215    /* check for parsing falure */
1216
1217    if (!spec.valid)
1218        return 0;
1219
1220    /* got an ETag? */
1221    if (spec.tag.str) {
1222        ETag rep_tag = rep->header.getETag(HDR_ETAG);
1223        debugs(33, 3, "clientIfRangeMatch: ETags: " << spec.tag.str << " and " <<
1224               (rep_tag.str ? rep_tag.str : "<none>"));
1225
1226        if (!rep_tag.str)
1227            return 0;       /* entity has no etag to compare with! */
1228
1229        if (spec.tag.weak || rep_tag.weak) {
1230            debugs(33, DBG_IMPORTANT, "clientIfRangeMatch: Weak ETags are not allowed in If-Range: " << spec.tag.str << " ? " << rep_tag.str);
1231            return 0;       /* must use strong validator for sub-range requests */
1232        }
1233
1234        return etagIsStrongEqual(rep_tag, spec.tag);
1235    }
1236
1237    /* got modification time? */
1238    if (spec.time >= 0) {
1239        return http->storeEntry()->lastmod <= spec.time;
1240    }
1241
1242    assert(0);          /* should not happen */
1243    return 0;
1244}
1245
1246/**
1247 * generates a "unique" boundary string for multipart responses
1248 * the caller is responsible for cleaning the string */
1249String
1250ClientHttpRequest::rangeBoundaryStr() const
1251{
1252    const char *key;
1253    String b(APP_FULLNAME);
1254    b.append(":",1);
1255    key = storeEntry()->getMD5Text();
1256    b.append(key, strlen(key));
1257    return b;
1258}
1259
1260/** adds appropriate Range headers if needed */
1261void
1262ClientSocketContext::buildRangeHeader(HttpReply * rep)
1263{
1264    HttpHeader *hdr = rep ? &rep->header : 0;
1265    const char *range_err = NULL;
1266    HttpRequest *request = http->request;
1267    assert(request->range);
1268    /* check if we still want to do ranges */
1269
1270    int64_t roffLimit = request->getRangeOffsetLimit();
1271
1272    if (!rep)
1273        range_err = "no [parse-able] reply";
1274    else if ((rep->sline.status() != Http::scOkay) && (rep->sline.status() != Http::scPartialContent))
1275        range_err = "wrong status code";
1276    else if (hdr->has(HDR_CONTENT_RANGE))
1277        range_err = "origin server does ranges";
1278    else if (rep->content_length < 0)
1279        range_err = "unknown length";
1280    else if (rep->content_length != http->memObject()->getReply()->content_length)
1281        range_err = "INCONSISTENT length";  /* a bug? */
1282
1283    /* hits only - upstream CachePeer determines correct behaviour on misses, and client_side_reply determines
1284     * hits candidates
1285     */
1286    else if (logTypeIsATcpHit(http->logType) && http->request->header.has(HDR_IF_RANGE) && !clientIfRangeMatch(http, rep))
1287        range_err = "If-Range match failed";
1288    else if (!http->request->range->canonize(rep))
1289        range_err = "canonization failed";
1290    else if (http->request->range->isComplex())
1291        range_err = "too complex range header";
1292    else if (!logTypeIsATcpHit(http->logType) && http->request->range->offsetLimitExceeded(roffLimit))
1293        range_err = "range outside range_offset_limit";
1294
1295    /* get rid of our range specs on error */
1296    if (range_err) {
1297        /* XXX We do this here because we need canonisation etc. However, this current
1298         * code will lead to incorrect store offset requests - the store will have the
1299         * offset data, but we won't be requesting it.
1300         * So, we can either re-request, or generate an error
1301         */
1302        http->request->ignoreRange(range_err);
1303    } else {
1304        /* XXX: TODO: Review, this unconditional set may be wrong. */
1305        rep->sline.set(rep->sline.version, Http::scPartialContent);
1306        // web server responded with a valid, but unexpected range.
1307        // will (try-to) forward as-is.
1308        //TODO: we should cope with multirange request/responses
1309        bool replyMatchRequest = rep->content_range != NULL ?
1310                                 request->range->contains(rep->content_range->spec) :
1311                                 true;
1312        const int spec_count = http->request->range->specs.size();
1313        int64_t actual_clen = -1;
1314
1315        debugs(33, 3, "clientBuildRangeHeader: range spec count: " <<
1316               spec_count << " virgin clen: " << rep->content_length);
1317        assert(spec_count > 0);
1318        /* append appropriate header(s) */
1319
1320        if (spec_count == 1) {
1321            if (!replyMatchRequest) {
1322                hdr->delById(HDR_CONTENT_RANGE);
1323                hdr->putContRange(rep->content_range);
1324                actual_clen = rep->content_length;
1325                //http->range_iter.pos = rep->content_range->spec.begin();
1326                (*http->range_iter.pos)->offset = rep->content_range->spec.offset;
1327                (*http->range_iter.pos)->length = rep->content_range->spec.length;
1328
1329            } else {
1330                HttpHdrRange::iterator pos = http->request->range->begin();
1331                assert(*pos);
1332                /* append Content-Range */
1333
1334                if (!hdr->has(HDR_CONTENT_RANGE)) {
1335                    /* No content range, so this was a full object we are
1336                     * sending parts of.
1337                     */
1338                    httpHeaderAddContRange(hdr, **pos, rep->content_length);
1339                }
1340
1341                /* set new Content-Length to the actual number of bytes
1342                 * transmitted in the message-body */
1343                actual_clen = (*pos)->length;
1344            }
1345        } else {
1346            /* multipart! */
1347            /* generate boundary string */
1348            http->range_iter.boundary = http->rangeBoundaryStr();
1349            /* delete old Content-Type, add ours */
1350            hdr->delById(HDR_CONTENT_TYPE);
1351            httpHeaderPutStrf(hdr, HDR_CONTENT_TYPE,
1352                              "multipart/byteranges; boundary=\"" SQUIDSTRINGPH "\"",
1353                              SQUIDSTRINGPRINT(http->range_iter.boundary));
1354            /* Content-Length is not required in multipart responses
1355             * but it is always nice to have one */
1356            actual_clen = http->mRangeCLen();
1357            /* http->out needs to start where we want data at */
1358            http->out.offset = http->range_iter.currentSpec()->offset;
1359        }
1360
1361        /* replace Content-Length header */
1362        assert(actual_clen >= 0);
1363
1364        hdr->delById(HDR_CONTENT_LENGTH);
1365
1366        hdr->putInt64(HDR_CONTENT_LENGTH, actual_clen);
1367
1368        debugs(33, 3, "clientBuildRangeHeader: actual content length: " << actual_clen);
1369
1370        /* And start the range iter off */
1371        http->range_iter.updateSpec();
1372    }
1373}
1374
1375void
1376ClientSocketContext::prepareReply(HttpReply * rep)
1377{
1378    reply = rep;
1379
1380    if (http->request->range)
1381        buildRangeHeader(rep);
1382}
1383
1384void
1385ClientSocketContext::sendStartOfMessage(HttpReply * rep, StoreIOBuffer bodyData)
1386{
1387    prepareReply(rep);
1388    assert (rep);
1389    MemBuf *mb = rep->pack();
1390
1391    // dump now, so we dont output any body.
1392    debugs(11, 2, "HTTP Client " << clientConnection);
1393    debugs(11, 2, "HTTP Client REPLY:\n---------\n" << mb->buf << "\n----------");
1394
1395    /* Save length of headers for persistent conn checks */
1396    http->out.headers_sz = mb->contentSize();
1397#if HEADERS_LOG
1398
1399    headersLog(0, 0, http->request->method, rep);
1400#endif
1401
1402    if (bodyData.data && bodyData.length) {
1403        if (multipartRangeRequest())
1404            packRange(bodyData, mb);
1405        else if (http->request->flags.chunkedReply) {
1406            packChunk(bodyData, *mb);
1407        } else {
1408            size_t length = lengthToSend(bodyData.range());
1409            noteSentBodyBytes (length);
1410
1411            mb->append(bodyData.data, length);
1412        }
1413    }
1414
1415    /* write */
1416    debugs(33,7, HERE << "sendStartOfMessage schedules clientWriteComplete");
1417    AsyncCall::Pointer call = commCbCall(33, 5, "clientWriteComplete",
1418                                         CommIoCbPtrFun(clientWriteComplete, this));
1419    Comm::Write(clientConnection, mb, call);
1420    delete mb;
1421}
1422
1423/**
1424 * Write a chunk of data to a client socket. If the reply is present,
1425 * send the reply headers down the wire too, and clean them up when
1426 * finished.
1427 * Pre-condition:
1428 *   The request is one backed by a connection, not an internal request.
1429 *   data context is not NULL
1430 *   There are no more entries in the stream chain.
1431 */
1432void
1433clientSocketRecipient(clientStreamNode * node, ClientHttpRequest * http,
1434                      HttpReply * rep, StoreIOBuffer receivedData)
1435{
1436    // dont tryt to deliver if client already ABORTED
1437    if (!http->getConn() || !cbdataReferenceValid(http->getConn()) || !Comm::IsConnOpen(http->getConn()->clientConnection))
1438        return;
1439
1440    /* Test preconditions */
1441    assert(node != NULL);
1442    PROF_start(clientSocketRecipient);
1443    /* TODO: handle this rather than asserting
1444     * - it should only ever happen if we cause an abort and
1445     * the callback chain loops back to here, so we can simply return.
1446     * However, that itself shouldn't happen, so it stays as an assert for now.
1447     */
1448    assert(cbdataReferenceValid(node));
1449    assert(node->node.next == NULL);
1450    ClientSocketContext::Pointer context = dynamic_cast<ClientSocketContext *>(node->data.getRaw());
1451    assert(context != NULL);
1452
1453    /* TODO: check offset is what we asked for */
1454
1455    if (context != http->getConn()->getCurrentContext())
1456        context->deferRecipientForLater(node, rep, receivedData);
1457    else
1458        http->getConn()->handleReply(rep, receivedData);
1459
1460    PROF_stop(clientSocketRecipient);
1461}
1462
1463/**
1464 * Called when a downstream node is no longer interested in
1465 * our data. As we are a terminal node, this means on aborts
1466 * only
1467 */
1468void
1469clientSocketDetach(clientStreamNode * node, ClientHttpRequest * http)
1470{
1471    /* Test preconditions */
1472    assert(node != NULL);
1473    /* TODO: handle this rather than asserting
1474     * - it should only ever happen if we cause an abort and
1475     * the callback chain loops back to here, so we can simply return.
1476     * However, that itself shouldn't happen, so it stays as an assert for now.
1477     */
1478    assert(cbdataReferenceValid(node));
1479    /* Set null by ContextFree */
1480    assert(node->node.next == NULL);
1481    /* this is the assert discussed above */
1482    assert(NULL == dynamic_cast<ClientSocketContext *>(node->data.getRaw()));
1483    /* We are only called when the client socket shutsdown.
1484     * Tell the prev pipeline member we're finished
1485     */
1486    clientStreamDetach(node, http);
1487}
1488
1489static void
1490clientWriteBodyComplete(const Comm::ConnectionPointer &conn, char *buf, size_t size, Comm::Flag errflag, int xerrno, void *data)
1491{
1492    debugs(33,7, HERE << "clientWriteBodyComplete schedules clientWriteComplete");
1493    clientWriteComplete(conn, NULL, size, errflag, xerrno, data);
1494}
1495
1496void
1497ConnStateData::readNextRequest()
1498{
1499    debugs(33, 5, HERE << clientConnection << " reading next req");
1500
1501    fd_note(clientConnection->fd, "Idle client: Waiting for next request");
1502    /**
1503     * Set the timeout BEFORE calling readSomeData().
1504     */
1505    typedef CommCbMemFunT<ConnStateData, CommTimeoutCbParams> TimeoutDialer;
1506    AsyncCall::Pointer timeoutCall = JobCallback(33, 5,
1507                                     TimeoutDialer, this, ConnStateData::requestTimeout);
1508    commSetConnTimeout(clientConnection, idleTimeout(), timeoutCall);
1509
1510    readSomeData();
1511    /** Please don't do anything with the FD past here! */
1512}
1513
1514static void
1515ClientSocketContextPushDeferredIfNeeded(ClientSocketContext::Pointer deferredRequest, ConnStateData * conn)
1516{
1517    debugs(33, 2, HERE << conn->clientConnection << " Sending next");
1518
1519    /** If the client stream is waiting on a socket write to occur, then */
1520
1521    if (deferredRequest->flags.deferred) {
1522        /** NO data is allowed to have been sent. */
1523        assert(deferredRequest->http->out.size == 0);
1524        /** defer now. */
1525        clientSocketRecipient(deferredRequest->deferredparams.node,
1526                              deferredRequest->http,
1527                              deferredRequest->deferredparams.rep,
1528                              deferredRequest->deferredparams.queuedBuffer);
1529    }
1530
1531    /** otherwise, the request is still active in a callbacksomewhere,
1532     * and we are done
1533     */
1534}
1535
1536/// called when we have successfully finished writing the response
1537void
1538ClientSocketContext::keepaliveNextRequest()
1539{
1540    ConnStateData * conn = http->getConn();
1541
1542    debugs(33, 3, HERE << "ConnnStateData(" << conn->clientConnection << "), Context(" << clientConnection << ")");
1543    connIsFinished();
1544
1545    if (conn->pinning.pinned && !Comm::IsConnOpen(conn->pinning.serverConnection)) {
1546        debugs(33, 2, HERE << conn->clientConnection << " Connection was pinned but server side gone. Terminating client connection");
1547        conn->clientConnection->close();
1548        return;
1549    }
1550
1551    /** \par
1552     * We are done with the response, and we are either still receiving request
1553     * body (early response!) or have already stopped receiving anything.
1554     *
1555     * If we are still receiving, then clientParseRequest() below will fail.
1556     * (XXX: but then we will call readNextRequest() which may succeed and
1557     * execute a smuggled request as we are not done with the current request).
1558     *
1559     * If we stopped because we got everything, then try the next request.
1560     *
1561     * If we stopped receiving because of an error, then close now to avoid
1562     * getting stuck and to prevent accidental request smuggling.
1563     */
1564
1565    if (const char *reason = conn->stoppedReceiving()) {
1566        debugs(33, 3, HERE << "closing for earlier request error: " << reason);
1567        conn->clientConnection->close();
1568        return;
1569    }
1570
1571    /** \par
1572     * Attempt to parse a request from the request buffer.
1573     * If we've been fed a pipelined request it may already
1574     * be in our read buffer.
1575     *
1576     \par
1577     * This needs to fall through - if we're unlucky and parse the _last_ request
1578     * from our read buffer we may never re-register for another client read.
1579     */
1580
1581    if (conn->clientParseRequests()) {
1582        debugs(33, 3, HERE << conn->clientConnection << ": parsed next request from buffer");
1583    }
1584
1585    /** \par
1586     * Either we need to kick-start another read or, if we have
1587     * a half-closed connection, kill it after the last request.
1588     * This saves waiting for half-closed connections to finished being
1589     * half-closed _AND_ then, sometimes, spending "Timeout" time in
1590     * the keepalive "Waiting for next request" state.
1591     */
1592    if (commIsHalfClosed(conn->clientConnection->fd) && (conn->getConcurrentRequestCount() == 0)) {
1593        debugs(33, 3, "ClientSocketContext::keepaliveNextRequest: half-closed client with no pending requests, closing");
1594        conn->clientConnection->close();
1595        return;
1596    }
1597
1598    ClientSocketContext::Pointer deferredRequest;
1599
1600    /** \par
1601     * At this point we either have a parsed request (which we've
1602     * kicked off the processing for) or not. If we have a deferred
1603     * request (parsed but deferred for pipeling processing reasons)
1604     * then look at processing it. If not, simply kickstart
1605     * another read.
1606     */
1607
1608    if ((deferredRequest = conn->getCurrentContext()).getRaw()) {
1609        debugs(33, 3, HERE << conn->clientConnection << ": calling PushDeferredIfNeeded");
1610        ClientSocketContextPushDeferredIfNeeded(deferredRequest, conn);
1611    } else if (conn->flags.readMore) {
1612        debugs(33, 3, HERE << conn->clientConnection << ": calling conn->readNextRequest()");
1613        conn->readNextRequest();
1614    } else {
1615        // XXX: Can this happen? CONNECT tunnels have deferredRequest set.
1616        debugs(33, DBG_IMPORTANT, HERE << "abandoning " << conn->clientConnection);
1617    }
1618}
1619
1620void
1621clientUpdateSocketStats(LogTags logType, size_t size)
1622{
1623    if (size == 0)
1624        return;
1625
1626    kb_incr(&statCounter.client_http.kbytes_out, size);
1627
1628    if (logTypeIsATcpHit(logType))
1629        kb_incr(&statCounter.client_http.hit_kbytes_out, size);
1630}
1631
1632/**
1633 * increments iterator "i"
1634 * used by clientPackMoreRanges
1635 *
1636 \retval true    there is still data available to pack more ranges
1637 \retval false
1638 */
1639bool
1640ClientSocketContext::canPackMoreRanges() const
1641{
1642    /** first update iterator "i" if needed */
1643
1644    if (!http->range_iter.debt()) {
1645        debugs(33, 5, HERE << "At end of current range spec for " << clientConnection);
1646
1647        if (http->range_iter.pos != http->range_iter.end)
1648            ++http->range_iter.pos;
1649
1650        http->range_iter.updateSpec();
1651    }
1652
1653    assert(!http->range_iter.debt() == !http->range_iter.currentSpec());
1654
1655    /* paranoid sync condition */
1656    /* continue condition: need_more_data */
1657    debugs(33, 5, "ClientSocketContext::canPackMoreRanges: returning " << (http->range_iter.currentSpec() ? true : false));
1658    return http->range_iter.currentSpec() ? true : false;
1659}
1660
1661int64_t
1662ClientSocketContext::getNextRangeOffset() const
1663{
1664    debugs (33, 5, "range: " << http->request->range <<
1665            "; http offset " << http->out.offset <<
1666            "; reply " << reply);
1667
1668    // XXX: This method is called from many places, including pullData() which
1669    // may be called before prepareReply() [on some Squid-generated errors].
1670    // Hence, we may not even know yet whether we should honor/do ranges.
1671
1672    if (http->request->range) {
1673        /* offset in range specs does not count the prefix of an http msg */
1674        /* check: reply was parsed and range iterator was initialized */
1675        assert(http->range_iter.valid);
1676        /* filter out data according to range specs */
1677        assert (canPackMoreRanges());
1678        {
1679            int64_t start;      /* offset of still missing data */
1680            assert(http->range_iter.currentSpec());
1681            start = http->range_iter.currentSpec()->offset + http->range_iter.currentSpec()->length - http->range_iter.debt();
1682            debugs(33, 3, "clientPackMoreRanges: in:  offset: " << http->out.offset);
1683            debugs(33, 3, "clientPackMoreRanges: out:"
1684                   " start: " << start <<
1685                   " spec[" << http->range_iter.pos - http->request->range->begin() << "]:" <<
1686                   " [" << http->range_iter.currentSpec()->offset <<
1687                   ", " << http->range_iter.currentSpec()->offset + http->range_iter.currentSpec()->length << "),"
1688                   " len: " << http->range_iter.currentSpec()->length <<
1689                   " debt: " << http->range_iter.debt());
1690            if (http->range_iter.currentSpec()->length != -1)
1691                assert(http->out.offset <= start);  /* we did not miss it */
1692
1693            return start;
1694        }
1695
1696    } else if (reply && reply->content_range) {
1697        /* request does not have ranges, but reply does */
1698        /** \todo FIXME: should use range_iter_pos on reply, as soon as reply->content_range
1699         *        becomes HttpHdrRange rather than HttpHdrRangeSpec.
1700         */
1701        return http->out.offset + reply->content_range->spec.offset;
1702    }
1703
1704    return http->out.offset;
1705}
1706
1707void
1708ClientSocketContext::pullData()
1709{
1710    debugs(33, 5, reply << " written " << http->out.size << " into " << clientConnection);
1711
1712    /* More data will be coming from the stream. */
1713    StoreIOBuffer readBuffer;
1714    /* XXX: Next requested byte in the range sequence */
1715    /* XXX: length = getmaximumrangelenfgth */
1716    readBuffer.offset = getNextRangeOffset();
1717    readBuffer.length = HTTP_REQBUF_SZ;
1718    readBuffer.data = reqbuf;
1719    /* we may note we have reached the end of the wanted ranges */
1720    clientStreamRead(getTail(), http, readBuffer);
1721}
1722
1723/** Adapt stream status to account for Range cases
1724 *
1725 */
1726clientStream_status_t
1727ClientSocketContext::socketState()
1728{
1729    switch (clientStreamStatus(getTail(), http)) {
1730
1731    case STREAM_NONE:
1732        /* check for range support ending */
1733
1734        if (http->request->range) {
1735            /* check: reply was parsed and range iterator was initialized */
1736            assert(http->range_iter.valid);
1737            /* filter out data according to range specs */
1738
1739            if (!canPackMoreRanges()) {
1740                debugs(33, 5, HERE << "Range request at end of returnable " <<
1741                       "range sequence on " << clientConnection);
1742                // we got everything we wanted from the store
1743                return STREAM_COMPLETE;
1744            }
1745        } else if (reply && reply->content_range) {
1746            /* reply has content-range, but Squid is not managing ranges */
1747            const int64_t &bytesSent = http->out.offset;
1748            const int64_t &bytesExpected = reply->content_range->spec.length;
1749
1750            debugs(33, 7, HERE << "body bytes sent vs. expected: " <<
1751                   bytesSent << " ? " << bytesExpected << " (+" <<
1752                   reply->content_range->spec.offset << ")");
1753
1754            // did we get at least what we expected, based on range specs?
1755
1756            if (bytesSent == bytesExpected) // got everything
1757                return STREAM_COMPLETE;
1758
1759            if (bytesSent > bytesExpected) // Error: Sent more than expected
1760                return STREAM_UNPLANNED_COMPLETE;
1761        }
1762
1763        return STREAM_NONE;
1764
1765    case STREAM_COMPLETE:
1766        return STREAM_COMPLETE;
1767
1768    case STREAM_UNPLANNED_COMPLETE:
1769        return STREAM_UNPLANNED_COMPLETE;
1770
1771    case STREAM_FAILED:
1772        return STREAM_FAILED;
1773    }
1774
1775    fatal ("unreachable code\n");
1776    return STREAM_NONE;
1777}
1778
1779/**
1780 * A write has just completed to the client, or we have just realised there is
1781 * no more data to send.
1782 */
1783void
1784clientWriteComplete(const Comm::ConnectionPointer &conn, char *bufnotused, size_t size, Comm::Flag errflag, int xerrno, void *data)
1785{
1786    ClientSocketContext *context = (ClientSocketContext *)data;
1787    context->writeComplete(conn, bufnotused, size, errflag);
1788}
1789
1790/// remembers the abnormal connection termination for logging purposes
1791void
1792ClientSocketContext::noteIoError(const int xerrno)
1793{
1794    if (http) {
1795        if (xerrno == ETIMEDOUT)
1796            http->al->http.timedout = true;
1797        else // even if xerrno is zero (which means read abort/eof)
1798            http->al->http.aborted = true;
1799    }
1800}
1801
1802void
1803ClientSocketContext::doClose()
1804{
1805    clientConnection->close();
1806}
1807
1808/// called when we encounter a response-related error
1809void
1810ClientSocketContext::initiateClose(const char *reason)
1811{
1812    http->getConn()->stopSending(reason); // closes ASAP
1813}
1814
1815void
1816ConnStateData::stopSending(const char *error)
1817{
1818    debugs(33, 4, HERE << "sending error (" << clientConnection << "): " << error <<
1819           "; old receiving error: " <<
1820           (stoppedReceiving() ? stoppedReceiving_ : "none"));
1821
1822    if (const char *oldError = stoppedSending()) {
1823        debugs(33, 3, HERE << "already stopped sending: " << oldError);
1824        return; // nothing has changed as far as this connection is concerned
1825    }
1826    stoppedSending_ = error;
1827
1828    if (!stoppedReceiving()) {
1829        if (const int64_t expecting = mayNeedToReadMoreBody()) {
1830            debugs(33, 5, HERE << "must still read " << expecting <<
1831                   " request body bytes with " << in.buf.length() << " unused");
1832            return; // wait for the request receiver to finish reading
1833        }
1834    }
1835
1836    clientConnection->close();
1837}
1838
1839void
1840ClientSocketContext::writeComplete(const Comm::ConnectionPointer &conn, char *bufnotused, size_t size, Comm::Flag errflag)
1841{
1842    const StoreEntry *entry = http->storeEntry();
1843    http->out.size += size;
1844    debugs(33, 5, HERE << conn << ", sz " << size <<
1845           ", err " << errflag << ", off " << http->out.size << ", len " <<
1846           (entry ? entry->objectLen() : 0));
1847    clientUpdateSocketStats(http->logType, size);
1848
1849    /* Bail out quickly on Comm::ERR_CLOSING - close handlers will tidy up */
1850
1851    if (errflag == Comm::ERR_CLOSING || !Comm::IsConnOpen(conn))
1852        return;
1853
1854    if (errflag || clientHttpRequestStatus(conn->fd, http)) {
1855        initiateClose("failure or true request status");
1856        /* Do we leak here ? */
1857        return;
1858    }
1859
1860    switch (socketState()) {
1861
1862    case STREAM_NONE:
1863        pullData();
1864        break;
1865
1866    case STREAM_COMPLETE:
1867        debugs(33, 5, conn << " Stream complete, keepalive is " << http->request->flags.proxyKeepalive);
1868        if (http->request->flags.proxyKeepalive)
1869            keepaliveNextRequest();
1870        else
1871            initiateClose("STREAM_COMPLETE NOKEEPALIVE");
1872        return;
1873
1874    case STREAM_UNPLANNED_COMPLETE:
1875        initiateClose("STREAM_UNPLANNED_COMPLETE");
1876        return;
1877
1878    case STREAM_FAILED:
1879        initiateClose("STREAM_FAILED");
1880        return;
1881
1882    default:
1883        fatal("Hit unreachable code in clientWriteComplete\n");
1884    }
1885}
1886
1887ClientSocketContext *
1888ConnStateData::abortRequestParsing(const char *const uri)
1889{
1890    ClientHttpRequest *http = new ClientHttpRequest(this);
1891    http->req_sz = in.buf.length();
1892    http->uri = xstrdup(uri);
1893    setLogUri (http, uri);
1894    ClientSocketContext *context = new ClientSocketContext(clientConnection, http);
1895    StoreIOBuffer tempBuffer;
1896    tempBuffer.data = context->reqbuf;
1897    tempBuffer.length = HTTP_REQBUF_SZ;
1898    clientStreamInit(&http->client_stream, clientGetMoreData, clientReplyDetach,
1899                     clientReplyStatus, new clientReplyContext(http), clientSocketRecipient,
1900                     clientSocketDetach, context, tempBuffer);
1901    return context;
1902}
1903
1904void
1905ConnStateData::startShutdown()
1906{
1907    // RegisteredRunner API callback - Squid has been shut down
1908
1909    // if connection is idle terminate it now,
1910    // otherwise wait for grace period to end
1911    if (getConcurrentRequestCount() == 0)
1912        endingShutdown();
1913}
1914
1915void
1916ConnStateData::endingShutdown()
1917{
1918    // RegisteredRunner API callback - Squid shutdown grace period is over
1919
1920    // force the client connection to close immediately
1921    // swanSong() in the close handler will cleanup.
1922    if (Comm::IsConnOpen(clientConnection))
1923        clientConnection->close();
1924
1925    // deregister now to ensure finalShutdown() does not kill us prematurely.
1926    // fd_table purge will cleanup if close handler was not fast enough.
1927    DeregisterRunner(this);
1928}
1929
1930char *
1931skipLeadingSpace(char *aString)
1932{
1933    char *result = aString;
1934
1935    while (xisspace(*aString))
1936        ++aString;
1937
1938    return result;
1939}
1940
1941/**
1942 * 'end' defaults to NULL for backwards compatibility
1943 * remove default value if we ever get rid of NULL-terminated
1944 * request buffers.
1945 */
1946const char *
1947findTrailingHTTPVersion(const char *uriAndHTTPVersion, const char *end)
1948{
1949    if (NULL == end) {
1950        end = uriAndHTTPVersion + strcspn(uriAndHTTPVersion, "\r\n");
1951        assert(end);
1952    }
1953
1954    for (; end > uriAndHTTPVersion; --end) {
1955        if (*end == '\n' || *end == '\r')
1956            continue;
1957
1958        if (xisspace(*end)) {
1959            if (strncasecmp(end + 1, "HTTP/", 5) == 0)
1960                return end + 1;
1961            else
1962                break;
1963        }
1964    }
1965
1966    return NULL;
1967}
1968
1969void
1970setLogUri(ClientHttpRequest * http, char const *uri, bool cleanUrl)
1971{
1972    safe_free(http->log_uri);
1973
1974    if (!cleanUrl)
1975        // The uri is already clean just dump it.
1976        http->log_uri = xstrndup(uri, MAX_URL);
1977    else {
1978        int flags = 0;
1979        switch (Config.uri_whitespace) {
1980        case URI_WHITESPACE_ALLOW:
1981            flags |= RFC1738_ESCAPE_NOSPACE;
1982
1983        case URI_WHITESPACE_ENCODE:
1984            flags |= RFC1738_ESCAPE_UNESCAPED;
1985            http->log_uri = xstrndup(rfc1738_do_escape(uri, flags), MAX_URL);
1986            break;
1987
1988        case URI_WHITESPACE_CHOP: {
1989            flags |= RFC1738_ESCAPE_NOSPACE;
1990            flags |= RFC1738_ESCAPE_UNESCAPED;
1991            http->log_uri = xstrndup(rfc1738_do_escape(uri, flags), MAX_URL);
1992            int pos = strcspn(http->log_uri, w_space);
1993            http->log_uri[pos] = '\0';
1994        }
1995        break;
1996
1997        case URI_WHITESPACE_DENY:
1998        case URI_WHITESPACE_STRIP:
1999        default: {
2000            const char *t;
2001            char *tmp_uri = static_cast<char*>(xmalloc(strlen(uri) + 1));
2002            char *q = tmp_uri;
2003            t = uri;
2004            while (*t) {
2005                if (!xisspace(*t)) {
2006                    *q = *t;
2007                    ++q;
2008                }
2009                ++t;
2010            }
2011            *q = '\0';
2012            http->log_uri = xstrndup(rfc1738_escape_unescaped(tmp_uri), MAX_URL);
2013            xfree(tmp_uri);
2014        }
2015        break;
2016        }
2017    }
2018}
2019
2020static void
2021prepareAcceleratedURL(ConnStateData * conn, ClientHttpRequest *http, char *url, const char *req_hdr)
2022{
2023    int vhost = conn->port->vhost;
2024    int vport = conn->port->vport;
2025    char *host;
2026    char ipbuf[MAX_IPSTRLEN];
2027
2028    http->flags.accel = true;
2029
2030    /* BUG: Squid cannot deal with '*' URLs (RFC2616 5.1.2) */
2031
2032    if (strncasecmp(url, "cache_object://", 15) == 0)
2033        return; /* already in good shape */
2034
2035    if (*url != '/') {
2036        if (conn->port->vhost)
2037            return; /* already in good shape */
2038
2039        /* else we need to ignore the host name */
2040        url = strstr(url, "//");
2041
2042#if SHOULD_REJECT_UNKNOWN_URLS
2043
2044        if (!url) {
2045            hp->request_parse_status = Http::scBadRequest;
2046            return conn->abortRequestParsing("error:invalid-request");
2047        }
2048#endif
2049
2050        if (url)
2051            url = strchr(url + 2, '/');
2052
2053        if (!url)
2054            url = (char *) "/";
2055    }
2056
2057    if (vport < 0)
2058        vport = http->getConn()->clientConnection->local.port();
2059
2060    const bool switchedToHttps = conn->switchedToHttps();
2061    const bool tryHostHeader = vhost || switchedToHttps;
2062    if (tryHostHeader && (host = mime_get_header(req_hdr, "Host")) != NULL) {
2063        debugs(33, 5, "ACCEL VHOST REWRITE: vhost=" << host << " + vport=" << vport);
2064        char thost[256];
2065        if (vport > 0) {
2066            thost[0] = '\0';
2067            char *t = NULL;
2068            if (host[strlen(host)] != ']' && (t = strrchr(host,':')) != NULL) {
2069                strncpy(thost, host, (t-host));
2070                snprintf(thost+(t-host), sizeof(thost)-(t-host), ":%d", vport);
2071                host = thost;
2072            } else if (!t) {
2073                snprintf(thost, sizeof(thost), "%s:%d",host, vport);
2074                host = thost;
2075            }
2076        } // else nothing to alter port-wise.
2077        int url_sz = strlen(url) + 32 + Config.appendDomainLen +
2078                     strlen(host);
2079        http->uri = (char *)xcalloc(url_sz, 1);
2080        const char *protocol = switchedToHttps ?
2081                               "https" : AnyP::UriScheme(conn->port->transport.protocol).c_str();
2082        snprintf(http->uri, url_sz, "%s://%s%s", protocol, host, url);
2083        debugs(33, 5, "ACCEL VHOST REWRITE: '" << http->uri << "'");
2084    } else if (conn->port->defaultsite /* && !vhost */) {
2085        debugs(33, 5, "ACCEL DEFAULTSITE REWRITE: defaultsite=" << conn->port->defaultsite << " + vport=" << vport);
2086        int url_sz = strlen(url) + 32 + Config.appendDomainLen +
2087                     strlen(conn->port->defaultsite);
2088        http->uri = (char *)xcalloc(url_sz, 1);
2089        char vportStr[32];
2090        vportStr[0] = '\0';
2091        if (vport > 0) {
2092            snprintf(vportStr, sizeof(vportStr),":%d",vport);
2093        }
2094        snprintf(http->uri, url_sz, "%s://%s%s%s",
2095                 AnyP::UriScheme(conn->port->transport.protocol).c_str(), conn->port->defaultsite, vportStr, url);
2096        debugs(33, 5, "ACCEL DEFAULTSITE REWRITE: '" << http->uri <<"'");
2097    } else if (vport > 0 /* && (!vhost || no Host:) */) {
2098        debugs(33, 5, "ACCEL VPORT REWRITE: *_port IP + vport=" << vport);
2099        /* Put the local socket IP address as the hostname, with whatever vport we found  */
2100        int url_sz = strlen(url) + 32 + Config.appendDomainLen;
2101        http->uri = (char *)xcalloc(url_sz, 1);
2102        http->getConn()->clientConnection->local.toHostStr(ipbuf,MAX_IPSTRLEN);
2103        snprintf(http->uri, url_sz, "%s://%s:%d%s",
2104                 AnyP::UriScheme(conn->port->transport.protocol).c_str(),
2105                 ipbuf, vport, url);
2106        debugs(33, 5, "ACCEL VPORT REWRITE: '" << http->uri << "'");
2107    }
2108}
2109
2110static void
2111prepareTransparentURL(ConnStateData * conn, ClientHttpRequest *http, char *url, const char *req_hdr)
2112{
2113    char *host;
2114    char ipbuf[MAX_IPSTRLEN];
2115
2116    if (*url != '/')
2117        return; /* already in good shape */
2118
2119    /* BUG: Squid cannot deal with '*' URLs (RFC2616 5.1.2) */
2120
2121    if ((host = mime_get_header(req_hdr, "Host")) != NULL) {
2122        int url_sz = strlen(url) + 32 + Config.appendDomainLen +
2123                     strlen(host);
2124        http->uri = (char *)xcalloc(url_sz, 1);
2125        snprintf(http->uri, url_sz, "%s://%s%s", AnyP::UriScheme(conn->port->transport.protocol).c_str(), host, url);
2126        debugs(33, 5, "TRANSPARENT HOST REWRITE: '" << http->uri <<"'");
2127    } else {
2128        /* Put the local socket IP address as the hostname.  */
2129        int url_sz = strlen(url) + 32 + Config.appendDomainLen;
2130        http->uri = (char *)xcalloc(url_sz, 1);
2131        http->getConn()->clientConnection->local.toHostStr(ipbuf,MAX_IPSTRLEN);
2132        snprintf(http->uri, url_sz, "%s://%s:%d%s",
2133                 AnyP::UriScheme(http->getConn()->port->transport.protocol).c_str(),
2134                 ipbuf, http->getConn()->clientConnection->local.port(), url);
2135        debugs(33, 5, "TRANSPARENT REWRITE: '" << http->uri << "'");
2136    }
2137}
2138
2139/** Parse an HTTP request
2140 *
2141 *  \note Sets result->flags.parsed_ok to 0 if failed to parse the request,
2142 *          to 1 if the request was correctly parsed.
2143 *  \param[in] csd a ConnStateData. The caller must make sure it is not null
2144 *  \param[in] hp an HttpParser
2145 *  \param[out] mehtod_p will be set as a side-effect of the parsing.
2146 *          Pointed-to value will be set to Http::METHOD_NONE in case of
2147 *          parsing failure
2148 *  \param[out] http_ver will be set as a side-effect of the parsing
2149 *  \return NULL on incomplete requests,
2150 *          a ClientSocketContext structure on success or failure.
2151 */
2152ClientSocketContext *
2153parseHttpRequest(ConnStateData *csd, HttpParser *hp, HttpRequestMethod * method_p, Http::ProtocolVersion *http_ver)
2154{
2155    char *req_hdr = NULL;
2156    char *end;
2157    size_t req_sz;
2158    ClientHttpRequest *http;
2159    ClientSocketContext *result;
2160    StoreIOBuffer tempBuffer;
2161    int r;
2162
2163    /* pre-set these values to make aborting simpler */
2164    *method_p = Http::METHOD_NONE;
2165
2166    /* NP: don't be tempted to move this down or remove again.
2167     * It's the only DDoS protection old-String has against long URL */
2168    if ( hp->bufsiz <= 0) {
2169        debugs(33, 5, "Incomplete request, waiting for end of request line");
2170        return NULL;
2171    } else if ( (size_t)hp->bufsiz >= Config.maxRequestHeaderSize && headersEnd(hp->buf, Config.maxRequestHeaderSize) == 0) {
2172        debugs(33, 5, "parseHttpRequest: Too large request");
2173        hp->request_parse_status = Http::scHeaderTooLarge;
2174        return csd->abortRequestParsing("error:request-too-large");
2175    }
2176
2177    /* Attempt to parse the first line; this'll define the method, url, version and header begin */
2178    r = HttpParserParseReqLine(hp);
2179
2180    if (r == 0) {
2181        debugs(33, 5, "Incomplete request, waiting for end of request line");
2182        return NULL;
2183    }
2184
2185    if (r == -1) {
2186        return csd->abortRequestParsing("error:invalid-request");
2187    }
2188
2189    /* Request line is valid here .. */
2190    *http_ver = Http::ProtocolVersion(hp->req.v_maj, hp->req.v_min);
2191
2192    /* This call scans the entire request, not just the headers */
2193    if (hp->req.v_maj > 0) {
2194        if ((req_sz = headersEnd(hp->buf, hp->bufsiz)) == 0) {
2195            debugs(33, 5, "Incomplete request, waiting for end of headers");
2196            return NULL;
2197        }
2198    } else {
2199        debugs(33, 3, "parseHttpRequest: Missing HTTP identifier");
2200        req_sz = HttpParserReqSz(hp);
2201    }
2202
2203    /* We know the whole request is in hp->buf now */
2204
2205    assert(req_sz <= (size_t) hp->bufsiz);
2206
2207    /* Will the following be true with HTTP/0.9 requests? probably not .. */
2208    /* So the rest of the code will need to deal with '0'-byte headers (ie, none, so don't try parsing em) */
2209    assert(req_sz > 0);
2210
2211    hp->hdr_end = req_sz - 1;
2212
2213    hp->hdr_start = hp->req.end + 1;
2214
2215    /* Enforce max_request_size */
2216    if (req_sz >= Config.maxRequestHeaderSize) {
2217        debugs(33, 5, "parseHttpRequest: Too large request");
2218        hp->request_parse_status = Http::scHeaderTooLarge;
2219        return csd->abortRequestParsing("error:request-too-large");
2220    }
2221
2222    /* Set method_p */
2223    *method_p = HttpRequestMethod(&hp->buf[hp->req.m_start], &hp->buf[hp->req.m_end]+1);
2224
2225    /* deny CONNECT via accelerated ports */
2226    if (*method_p == Http::METHOD_CONNECT && csd->port != NULL && csd->port->flags.accelSurrogate) {
2227        debugs(33, DBG_IMPORTANT, "WARNING: CONNECT method received on " << csd->port->transport.protocol << " Accelerator port " << csd->port->s.port());
2228        /* XXX need a way to say "this many character length string" */
2229        debugs(33, DBG_IMPORTANT, "WARNING: for request: " << hp->buf);
2230        hp->request_parse_status = Http::scMethodNotAllowed;
2231        return csd->abortRequestParsing("error:method-not-allowed");
2232    }
2233
2234    /* RFC 7540 section 11.6 registers the method PRI as HTTP/2 specific
2235     * Deny "PRI" method if used in HTTP/1.x or 0.9 versions.
2236     * If seen it signals a broken client or proxy has corrupted the traffic.
2237     */
2238    if (*method_p == Http::METHOD_PRI && *http_ver < Http::ProtocolVersion(2,0)) {
2239        debugs(33, DBG_IMPORTANT, "WARNING: PRI method received on " << csd->port->transport.protocol << "port " << csd->port->s.port());
2240        debugs(33, DBG_IMPORTANT, "WARNING: for request: " << hp->buf);
2241        hp->request_parse_status = Http::scMethodNotAllowed;
2242        return csd->abortRequestParsing("error:method-not-allowed");
2243    }
2244
2245    if (*method_p == Http::METHOD_NONE) {
2246        /* XXX need a way to say "this many character length string" */
2247        debugs(33, DBG_IMPORTANT, "clientParseRequestMethod: Unsupported method in request '" << hp->buf << "'");
2248        hp->request_parse_status = Http::scMethodNotAllowed;
2249        return csd->abortRequestParsing("error:unsupported-request-method");
2250    }
2251
2252    /*
2253     * Process headers after request line
2254     * TODO: Use httpRequestParse here.
2255     */
2256    /* XXX this code should be modified to take a const char * later! */
2257    req_hdr = (char *) hp->buf + hp->req.end + 1;
2258
2259    debugs(33, 3, "parseHttpRequest: req_hdr = {" << req_hdr << "}");
2260
2261    end = (char *) hp->buf + hp->hdr_end;
2262
2263    debugs(33, 3, "parseHttpRequest: end = {" << end << "}");
2264
2265    debugs(33, 3, "parseHttpRequest: prefix_sz = " <<
2266           (int) HttpParserRequestLen(hp) << ", req_line_sz = " <<
2267           HttpParserReqSz(hp));
2268
2269    /* Ok, all headers are received */
2270    http = new ClientHttpRequest(csd);
2271
2272    http->req_sz = HttpParserRequestLen(hp);
2273    result = new ClientSocketContext(csd->clientConnection, http);
2274    tempBuffer.data = result->reqbuf;
2275    tempBuffer.length = HTTP_REQBUF_SZ;
2276
2277    ClientStreamData newServer = new clientReplyContext(http);
2278    ClientStreamData newClient = result;
2279    clientStreamInit(&http->client_stream, clientGetMoreData, clientReplyDetach,
2280                     clientReplyStatus, newServer, clientSocketRecipient,
2281                     clientSocketDetach, newClient, tempBuffer);
2282
2283    debugs(33, 5, "parseHttpRequest: Request Header is\n" <<(hp->buf) + hp->hdr_start);
2284
2285    /* set url */
2286    /*
2287     * XXX this should eventually not use a malloc'ed buffer; the transformation code
2288     * below needs to be modified to not expect a mutable nul-terminated string.
2289     */
2290    char *url = (char *)xmalloc(hp->req.u_end - hp->req.u_start + 16);
2291
2292    memcpy(url, hp->buf + hp->req.u_start, hp->req.u_end - hp->req.u_start + 1);
2293
2294    url[hp->req.u_end - hp->req.u_start + 1] = '\0';
2295
2296#if THIS_VIOLATES_HTTP_SPECS_ON_URL_TRANSFORMATION
2297
2298    if ((t = strchr(url, '#'))) /* remove HTML anchors */
2299        *t = '\0';
2300
2301#endif
2302
2303    debugs(33,5, "Prepare absolute URL from " <<
2304           (csd->transparent()?"intercept":(csd->port->flags.accelSurrogate ? "accel":"")));
2305    /* Rewrite the URL in transparent or accelerator mode */
2306    /* NP: there are several cases to traverse here:
2307     *  - standard mode (forward proxy)
2308     *  - transparent mode (TPROXY)
2309     *  - transparent mode with failures
2310     *  - intercept mode (NAT)
2311     *  - intercept mode with failures
2312     *  - accelerator mode (reverse proxy)
2313     *  - internal URL
2314     *  - mixed combos of the above with internal URL
2315     *  - remote interception with PROXY protocol
2316     *  - remote reverse-proxy with PROXY protocol
2317     */
2318    if (csd->transparent()) {
2319        /* intercept or transparent mode, properly working with no failures */
2320        prepareTransparentURL(csd, http, url, req_hdr);
2321
2322    } else if (internalCheck(url)) {
2323        /* internal URL mode */
2324        /* prepend our name & port */
2325        http->uri = xstrdup(internalLocalUri(NULL, url));
2326        // We just re-wrote the URL. Must replace the Host: header.
2327        //  But have not parsed there yet!! flag for local-only handling.
2328        http->flags.internal = true;
2329
2330    } else if (csd->port->flags.accelSurrogate || csd->switchedToHttps()) {
2331        /* accelerator mode */
2332        prepareAcceleratedURL(csd, http, url, req_hdr);
2333    }
2334
2335    if (!http->uri) {
2336        /* No special rewrites have been applied above, use the
2337         * requested url. may be rewritten later, so make extra room */
2338        int url_sz = strlen(url) + Config.appendDomainLen + 5;
2339        http->uri = (char *)xcalloc(url_sz, 1);
2340        strcpy(http->uri, url);
2341    }
2342
2343    debugs(33, 5, "parseHttpRequest: Complete request received");
2344
2345    // XXX: crop this dump at the end of headers. No need for extras
2346    debugs(11, 2, "HTTP Client " << csd->clientConnection);
2347    debugs(11, 2, "HTTP Client REQUEST:\n---------\n" << (hp->buf) + hp->req.m_start << "\n----------");
2348
2349    result->flags.parsed_ok = 1;
2350    xfree(url);
2351    return result;
2352}
2353
2354bool
2355ConnStateData::In::maybeMakeSpaceAvailable()
2356{
2357    if (buf.spaceSize() < 2) {
2358        const SBuf::size_type haveCapacity = buf.length() + buf.spaceSize();
2359        if (haveCapacity >= Config.maxRequestBufferSize) {
2360            debugs(33, 4, "request buffer full: client_request_buffer_max_size=" << Config.maxRequestBufferSize);
2361            return false;
2362        }
2363        if (haveCapacity == 0) {
2364            // haveCapacity is based on the SBuf visible window of the MemBlob buffer, which may fill up.
2365            // at which point bump the buffer back to default. This allocates a new MemBlob with any un-parsed bytes.
2366            buf.reserveCapacity(CLIENT_REQ_BUF_SZ);
2367        } else {
2368            const SBuf::size_type wantCapacity = min(static_cast<SBuf::size_type>(Config.maxRequestBufferSize), haveCapacity*2);
2369            buf.reserveCapacity(wantCapacity);
2370        }
2371        debugs(33, 2, "growing request buffer: available=" << buf.spaceSize() << " used=" << buf.length());
2372    }
2373    return (buf.spaceSize() >= 2);
2374}
2375
2376void
2377ConnStateData::addContextToQueue(ClientSocketContext * context)
2378{
2379    ClientSocketContext::Pointer *S;
2380
2381    for (S = (ClientSocketContext::Pointer *) & currentobject; S->getRaw();
2382            S = &(*S)->next);
2383    *S = context;
2384
2385    ++nrequests;
2386}
2387
2388int
2389ConnStateData::getConcurrentRequestCount() const
2390{
2391    int result = 0;
2392    ClientSocketContext::Pointer *T;
2393
2394    for (T = (ClientSocketContext::Pointer *) &currentobject;
2395            T->getRaw(); T = &(*T)->next, ++result);
2396    return result;
2397}
2398
2399int
2400ConnStateData::connFinishedWithConn(int size)
2401{
2402    if (size == 0) {
2403        if (getConcurrentRequestCount() == 0 && in.buf.isEmpty()) {
2404            /* no current or pending requests */
2405            debugs(33, 4, HERE << clientConnection << " closed");
2406            return 1;
2407        } else if (!Config.onoff.half_closed_clients) {
2408            /* admin doesn't want to support half-closed client sockets */
2409            debugs(33, 3, HERE << clientConnection << " aborted (half_closed_clients disabled)");
2410            notifyAllContexts(0); // no specific error implies abort
2411            return 1;
2412        }
2413    }
2414
2415    return 0;
2416}
2417
2418void
2419ConnStateData::consumeInput(const size_t byteCount)
2420{
2421    assert(byteCount > 0 && byteCount <= in.buf.length());
2422    in.buf.consume(byteCount);
2423    debugs(33, 5, "in.buf has " << in.buf.length() << " unused bytes");
2424}
2425
2426// TODO: Remove when renaming ConnStateData
2427void
2428connNoteUseOfBuffer(ConnStateData* conn, size_t byteCount)
2429{
2430    conn->consumeInput(byteCount);
2431}
2432
2433void
2434ConnStateData::clientAfterReadingRequests()
2435{
2436    // Were we expecting to read more request body from half-closed connection?
2437    if (mayNeedToReadMoreBody() && commIsHalfClosed(clientConnection->fd)) {
2438        debugs(33, 3, HERE << "truncated body: closing half-closed " << clientConnection);
2439        clientConnection->close();
2440        return;
2441    }
2442
2443    if (flags.readMore)
2444        readSomeData();
2445}
2446
2447void
2448ConnStateData::quitAfterError(HttpRequest *request)
2449{
2450    // From HTTP p.o.v., we do not have to close after every error detected
2451    // at the client-side, but many such errors do require closure and the
2452    // client-side code is bad at handling errors so we play it safe.
2453    if (request)
2454        request->flags.proxyKeepalive = false;
2455    flags.readMore = false;
2456    debugs(33,4, HERE << "Will close after error: " << clientConnection);
2457}
2458
2459#if USE_OPENSSL
2460bool ConnStateData::serveDelayedError(ClientSocketContext *context)
2461{
2462    ClientHttpRequest *http = context->http;
2463
2464    if (!sslServerBump)
2465        return false;
2466
2467    assert(sslServerBump->entry);
2468    // Did we create an error entry while processing CONNECT?
2469    if (!sslServerBump->entry->isEmpty()) {
2470        quitAfterError(http->request);
2471
2472        // Get the saved error entry and send it to the client by replacing the
2473        // ClientHttpRequest store entry with it.
2474        clientStreamNode *node = context->getClientReplyContext();
2475        clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
2476        assert(repContext);
2477        debugs(33, 5, "Responding with delated error for " << http->uri);
2478        repContext->setReplyToStoreEntry(sslServerBump->entry, "delayed SslBump error");
2479
2480        // save the original request for logging purposes
2481        if (!context->http->al->request) {
2482            context->http->al->request = http->request;
2483            HTTPMSGLOCK(context->http->al->request);
2484        }
2485
2486        // Get error details from the fake certificate-peeking request.
2487        http->request->detailError(sslServerBump->request->errType, sslServerBump->request->errDetail);
2488        context->pullData();
2489        return true;
2490    }
2491
2492    // In bump-server-first mode, we have not necessarily seen the intended
2493    // server name at certificate-peeking time. Check for domain mismatch now,
2494    // when we can extract the intended name from the bumped HTTP request.
2495    if (X509 *srvCert = sslServerBump->serverCert.get()) {
2496        HttpRequest *request = http->request;
2497        if (!Ssl::checkX509ServerValidity(srvCert, request->GetHost())) {
2498            debugs(33, 2, "SQUID_X509_V_ERR_DOMAIN_MISMATCH: Certificate " <<
2499                   "does not match domainname " << request->GetHost());
2500
2501            bool allowDomainMismatch = false;
2502            if (Config.ssl_client.cert_error) {
2503                ACLFilledChecklist check(Config.ssl_client.cert_error, request, dash_str);
2504                check.sslErrors = new Ssl::CertErrors(Ssl::CertError(SQUID_X509_V_ERR_DOMAIN_MISMATCH, srvCert));
2505                allowDomainMismatch = (check.fastCheck() == ACCESS_ALLOWED);
2506                delete check.sslErrors;
2507                check.sslErrors = NULL;
2508            }
2509
2510            if (!allowDomainMismatch) {
2511                quitAfterError(request);
2512
2513                clientStreamNode *node = context->getClientReplyContext();
2514                clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
2515                assert (repContext);
2516
2517                // Fill the server IP and hostname for error page generation.
2518                HttpRequest::Pointer const & peekerRequest = sslServerBump->request;
2519                request->hier.note(peekerRequest->hier.tcpServer, request->GetHost());
2520
2521                // Create an error object and fill it
2522                ErrorState *err = new ErrorState(ERR_SECURE_CONNECT_FAIL, Http::scServiceUnavailable, request);
2523                err->src_addr = clientConnection->remote;
2524                Ssl::ErrorDetail *errDetail = new Ssl::ErrorDetail(
2525                    SQUID_X509_V_ERR_DOMAIN_MISMATCH,
2526                    srvCert, NULL);
2527                err->detail = errDetail;
2528                // Save the original request for logging purposes.
2529                if (!context->http->al->request) {
2530                    context->http->al->request = request;
2531                    HTTPMSGLOCK(context->http->al->request);
2532                }
2533                repContext->setReplyToError(request->method, err);
2534                assert(context->http->out.offset == 0);
2535                context->pullData();
2536                return true;
2537            }
2538        }
2539    }
2540
2541    return false;
2542}
2543#endif // USE_OPENSSL
2544
2545static void
2546clientProcessRequestFinished(ConnStateData *conn, const HttpRequest::Pointer &request)
2547{
2548    /*
2549     * DPW 2007-05-18
2550     * Moved the TCP_RESET feature from clientReplyContext::sendMoreData
2551     * to here because calling comm_reset_close() causes http to
2552     * be freed and the above connNoteUseOfBuffer() would hit an
2553     * assertion, not to mention that we were accessing freed memory.
2554     */
2555    if (request != NULL && request->flags.resetTcp && Comm::IsConnOpen(conn->clientConnection)) {
2556        debugs(33, 3, HERE << "Sending TCP RST on " << conn->clientConnection);
2557        conn->flags.readMore = false;
2558        comm_reset_close(conn->clientConnection);
2559    }
2560}
2561
2562void
2563clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *context, const HttpRequestMethod& method, Http::ProtocolVersion http_ver)
2564{
2565    ClientHttpRequest *http = context->http;
2566    HttpRequest::Pointer request;
2567    bool notedUseOfBuffer = false;
2568    bool chunked = false;
2569    bool mustReplyToOptions = false;
2570    bool unsupportedTe = false;
2571    bool expectBody = false;
2572
2573    // temporary hack to avoid splitting this huge function with sensitive code
2574    const bool isFtp = !hp;
2575    if (isFtp) {
2576        // In FTP, case, we already have the request parsed and checked, so we
2577        // only need to go through the final body/conn setup to doCallouts().
2578        assert(http->request);
2579        request = http->request;
2580        notedUseOfBuffer = true;
2581    } else {
2582
2583        if (context->flags.parsed_ok == 0) {
2584            clientStreamNode *node = context->getClientReplyContext();
2585            debugs(33, 2, "clientProcessRequest: Invalid Request");
2586            conn->quitAfterError(NULL);
2587            // setLogUri should called before repContext->setReplyToError
2588            setLogUri(http, http->uri,  true);
2589            clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
2590            assert (repContext);
2591            switch (hp->request_parse_status) {
2592            case Http::scHeaderTooLarge:
2593                repContext->setReplyToError(ERR_TOO_BIG, Http::scBadRequest, method, http->uri, conn->clientConnection->remote, NULL, conn->in.buf.c_str(), NULL);
2594                break;
2595            case Http::scMethodNotAllowed:
2596                repContext->setReplyToError(ERR_UNSUP_REQ, Http::scMethodNotAllowed, method, http->uri,
2597                                            conn->clientConnection->remote, NULL, conn->in.buf.c_str(), NULL);
2598                break;
2599            default:
2600                repContext->setReplyToError(ERR_INVALID_REQ, hp->request_parse_status, method, http->uri,
2601                                            conn->clientConnection->remote, NULL, conn->in.buf.c_str(), NULL);
2602            }
2603            assert(context->http->out.offset == 0);
2604            context->pullData();
2605            connNoteUseOfBuffer(conn, http->req_sz);
2606            return;
2607        }
2608
2609        if ((request = HttpRequest::CreateFromUrlAndMethod(http->uri, method)) == NULL) {
2610            clientStreamNode *node = context->getClientReplyContext();
2611            debugs(33, 5, "Invalid URL: " << http->uri);
2612            conn->quitAfterError(request.getRaw());
2613            // setLogUri should called before repContext->setReplyToError
2614            setLogUri(http, http->uri,  true);
2615            clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
2616            assert (repContext);
2617            repContext->setReplyToError(ERR_INVALID_URL, Http::scBadRequest, method, http->uri, conn->clientConnection->remote, NULL, NULL, NULL);
2618            assert(context->http->out.offset == 0);
2619            context->pullData();
2620            connNoteUseOfBuffer(conn, http->req_sz);
2621            return;
2622        }
2623
2624        /* RFC 2616 section 10.5.6 : handle unsupported HTTP major versions cleanly. */
2625        /* We currently only support 0.9, 1.0, 1.1 properly */
2626        /* TODO: move HTTP-specific processing into servers/HttpServer and such */
2627        if ( (http_ver.major == 0 && http_ver.minor != 9) ||
2628                (http_ver.major > 1) ) {
2629
2630            clientStreamNode *node = context->getClientReplyContext();
2631            debugs(33, 5, "Unsupported HTTP version discovered. :\n" << HttpParserHdrBuf(hp));
2632            conn->quitAfterError(request.getRaw());
2633            // setLogUri should called before repContext->setReplyToError
2634            setLogUri(http, http->uri,  true);
2635            clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
2636            assert (repContext);
2637            repContext->setReplyToError(ERR_UNSUP_HTTPVERSION, Http::scHttpVersionNotSupported, method, http->uri,
2638                                        conn->clientConnection->remote, NULL, HttpParserHdrBuf(hp), NULL);
2639            assert(context->http->out.offset == 0);
2640            context->pullData();
2641            connNoteUseOfBuffer(conn, http->req_sz);
2642            clientProcessRequestFinished(conn, request);
2643            return;
2644        }
2645
2646        /* compile headers */
2647        /* we should skip request line! */
2648        /* XXX should actually know the damned buffer size here */
2649        if (http_ver.major >= 1 && !request->parseHeader(HttpParserHdrBuf(hp), HttpParserHdrSz(hp))) {
2650            clientStreamNode *node = context->getClientReplyContext();
2651            debugs(33, 5, "Failed to parse request headers:\n" << HttpParserHdrBuf(hp));
2652            conn->quitAfterError(request.getRaw());
2653            // setLogUri should called before repContext->setReplyToError
2654            setLogUri(http, http->uri,  true);
2655            clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
2656            assert (repContext);
2657            repContext->setReplyToError(ERR_INVALID_REQ, Http::scBadRequest, method, http->uri, conn->clientConnection->remote, NULL, NULL, NULL);
2658            assert(context->http->out.offset == 0);
2659            context->pullData();
2660            connNoteUseOfBuffer(conn, http->req_sz);
2661            clientProcessRequestFinished(conn, request);
2662            return;
2663        }
2664
2665        // when absolute-URI is provided Host header should be ignored. However
2666        // some code still uses Host directly so normalize it.
2667        // For now preserve the case where Host is completely absent. That matters.
2668        if (request->header.has(HDR_HOST)) {
2669            const char *host = request->header.getStr(HDR_HOST);
2670            SBuf authority(request->GetHost());
2671            if (request->port != urlDefaultPort(request->url.getScheme()))
2672                authority.appendf(":%d", request->port);
2673            debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host);
2674            // URL authority overrides Host header
2675            request->header.delById(HDR_HOST);
2676            request->header.putStr(HDR_HOST, authority.c_str());
2677        }
2678    }
2679
2680    // Some blobs below are still HTTP-specific, but we would have to rewrite
2681    // this entire function to remove them from the FTP code path. Connection
2682    // setup and body_pipe preparation blobs are needed for FTP.
2683
2684    request->clientConnectionManager = conn;
2685
2686    request->flags.accelerated = http->flags.accel;
2687    request->flags.sslBumped=conn->switchedToHttps();
2688    request->flags.ignoreCc = conn->port->ignore_cc;
2689    // TODO: decouple http->flags.accel from request->flags.sslBumped
2690    request->flags.noDirect = (request->flags.accelerated && !request->flags.sslBumped) ?
2691                              !conn->port->allow_direct : 0;
2692#if USE_AUTH
2693    if (request->flags.sslBumped) {
2694        if (conn->getAuth() != NULL)
2695            request->auth_user_request = conn->getAuth();
2696    }
2697#endif
2698
2699    /** \par
2700     * If transparent or interception mode is working clone the transparent and interception flags
2701     * from the port settings to the request.
2702     */
2703    if (http->clientConnection != NULL) {
2704        request->flags.intercepted = ((http->clientConnection->flags & COMM_INTERCEPTION) != 0);
2705        request->flags.interceptTproxy = ((http->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ;
2706        static const bool proxyProtocolPort = (conn->port != NULL) ? conn->port->flags.proxySurrogate : false;
2707        if (request->flags.interceptTproxy && !proxyProtocolPort) {
2708            if (Config.accessList.spoof_client_ip) {
2709                ACLFilledChecklist *checklist = clientAclChecklistCreate(Config.accessList.spoof_client_ip, http);
2710                request->flags.spoofClientIp = (checklist->fastCheck() == ACCESS_ALLOWED);
2711                delete checklist;
2712            } else
2713                request->flags.spoofClientIp = true;
2714        } else
2715            request->flags.spoofClientIp = false;
2716    }
2717
2718    if (internalCheck(request->urlpath.termedBuf())) {
2719        if (internalHostnameIs(request->GetHost()) && request->port == getMyPort()) {
2720            debugs(33, 2, "internal URL found: " << request->url.getScheme() << "://" << request->GetHost() <<
2721                   ':' << request->port);
2722            http->flags.internal = true;
2723        } else if (Config.onoff.global_internal_static && internalStaticCheck(request->urlpath.termedBuf())) {
2724            debugs(33, 2, "internal URL found: " << request->url.getScheme() << "://" << request->GetHost() <<
2725                   ':' << request->port << " (global_internal_static on)");
2726            request->url.setScheme(AnyP::PROTO_HTTP);
2727            request->SetHost(internalHostname());
2728            request->port = getMyPort();
2729            http->flags.internal = true;
2730        } else
2731            debugs(33, 2, "internal URL found: " << request->url.getScheme() << "://" << request->GetHost() <<
2732                   ':' << request->port << " (not this proxy)");
2733    }
2734
2735    if (http->flags.internal)
2736        request->login[0] = '\0';
2737
2738    request->flags.internal = http->flags.internal;
2739    setLogUri (http, urlCanonicalClean(request.getRaw()));
2740    request->client_addr = conn->clientConnection->remote; // XXX: remove reuest->client_addr member.
2741#if FOLLOW_X_FORWARDED_FOR
2742    // indirect client gets stored here because it is an HTTP header result (from X-Forwarded-For:)
2743    // not a details about teh TCP connection itself
2744    request->indirect_client_addr = conn->clientConnection->remote;
2745#endif /* FOLLOW_X_FORWARDED_FOR */
2746    request->my_addr = conn->clientConnection->local;
2747    request->myportname = conn->port->name;
2748    request->http_ver = http_ver;
2749
2750    // Link this HttpRequest to ConnStateData relatively early so the following complex handling can use it
2751    // TODO: this effectively obsoletes a lot of conn->FOO copying. That needs cleaning up later.
2752    request->clientConnectionManager = conn;
2753
2754    if (request->header.chunked()) {
2755        chunked = true;
2756    } else if (request->header.has(HDR_TRANSFER_ENCODING)) {
2757        const String te = request->header.getList(HDR_TRANSFER_ENCODING);
2758        // HTTP/1.1 requires chunking to be the last encoding if there is one
2759        unsupportedTe = te.size() && te != "identity";
2760    } // else implied identity coding
2761
2762    mustReplyToOptions = (method == Http::METHOD_OPTIONS) &&
2763                         (request->header.getInt64(HDR_MAX_FORWARDS) == 0);
2764    if (!urlCheckRequest(request.getRaw()) || mustReplyToOptions || unsupportedTe) {
2765        clientStreamNode *node = context->getClientReplyContext();
2766        conn->quitAfterError(request.getRaw());
2767        clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
2768        assert (repContext);
2769        repContext->setReplyToError(ERR_UNSUP_REQ, Http::scNotImplemented, request->method, NULL,
2770                                    conn->clientConnection->remote, request.getRaw(), NULL, NULL);
2771        assert(context->http->out.offset == 0);
2772        context->pullData();
2773        connNoteUseOfBuffer(conn, http->req_sz);
2774        clientProcessRequestFinished(conn, request);
2775        return;
2776    }
2777
2778    if (!chunked && !clientIsContentLengthValid(request.getRaw())) {
2779        clientStreamNode *node = context->getClientReplyContext();
2780        clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
2781        assert (repContext);
2782        conn->quitAfterError(request.getRaw());
2783        repContext->setReplyToError(ERR_INVALID_REQ,
2784                                    Http::scLengthRequired, request->method, NULL,
2785                                    conn->clientConnection->remote, request.getRaw(), NULL, NULL);
2786        assert(context->http->out.offset == 0);
2787        context->pullData();
2788        connNoteUseOfBuffer(conn, http->req_sz);
2789        clientProcessRequestFinished(conn, request);
2790        return;
2791    }
2792
2793    if (request->header.has(HDR_EXPECT)) {
2794        const String expect = request->header.getList(HDR_EXPECT);
2795        const bool supportedExpect = (expect.caseCmp("100-continue") == 0);
2796        if (!supportedExpect) {
2797            clientStreamNode *node = context->getClientReplyContext();
2798            clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
2799            assert (repContext);
2800            conn->quitAfterError(request.getRaw());
2801            repContext->setReplyToError(ERR_INVALID_REQ, Http::scExpectationFailed, request->method, http->uri,
2802                                        conn->clientConnection->remote, request.getRaw(), NULL, NULL);
2803            assert(context->http->out.offset == 0);
2804            context->pullData();
2805            connNoteUseOfBuffer(conn, http->req_sz);
2806            clientProcessRequestFinished(conn, request);
2807            return;
2808        }
2809    }
2810
2811    if (!isFtp) {
2812        http->request = request.getRaw();
2813        HTTPMSGLOCK(http->request);
2814    }
2815
2816    clientSetKeepaliveFlag(http);
2817    // Let tunneling code be fully responsible for CONNECT requests
2818    if (http->request->method == Http::METHOD_CONNECT) {
2819        context->mayUseConnection(true);
2820        conn->flags.readMore = false;
2821
2822        // consume header early so that tunnel gets just the body
2823        connNoteUseOfBuffer(conn, http->req_sz);
2824        notedUseOfBuffer = true;
2825    }
2826
2827#if USE_OPENSSL
2828    if (conn->switchedToHttps() && conn->serveDelayedError(context)) {
2829        if (!notedUseOfBuffer)
2830            connNoteUseOfBuffer(conn, http->req_sz);
2831        clientProcessRequestFinished(conn, request);
2832        return;
2833    }
2834#endif
2835
2836    /* Do we expect a request-body? */
2837    expectBody = chunked || request->content_length > 0;
2838    if (!context->mayUseConnection() && expectBody) {
2839        request->body_pipe = conn->expectRequestBody(
2840                                 chunked ? -1 : request->content_length);
2841
2842        if (!isFtp) {
2843            // consume header early so that body pipe gets just the body
2844            connNoteUseOfBuffer(conn, http->req_sz);
2845            notedUseOfBuffer = true;
2846        }
2847
2848        /* Is it too large? */
2849        if (!chunked && // if chunked, we will check as we accumulate
2850                clientIsRequestBodyTooLargeForPolicy(request->content_length)) {
2851            clientStreamNode *node = context->getClientReplyContext();
2852            clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
2853            assert (repContext);
2854            conn->quitAfterError(request.getRaw());
2855            repContext->setReplyToError(ERR_TOO_BIG,
2856                                        Http::scPayloadTooLarge, Http::METHOD_NONE, NULL,
2857                                        conn->clientConnection->remote, http->request, NULL, NULL);
2858            assert(context->http->out.offset == 0);
2859            context->pullData();
2860            clientProcessRequestFinished(conn, request);
2861            return;
2862        }
2863
2864        if (!isFtp) {
2865            // We may stop producing, comm_close, and/or call setReplyToError()
2866            // below, so quit on errors to avoid http->doCallouts()
2867            if (!conn->handleRequestBodyData()) {
2868                clientProcessRequestFinished(conn, request);
2869                return;
2870            }
2871
2872            if (!request->body_pipe->productionEnded()) {
2873                debugs(33, 5, "need more request body");
2874                context->mayUseConnection(true);
2875                assert(conn->flags.readMore);
2876            }
2877        }
2878    }
2879
2880    http->calloutContext = new ClientRequestContext(http);
2881
2882    http->doCallouts();
2883
2884    if (!notedUseOfBuffer)
2885        connNoteUseOfBuffer(conn, http->req_sz);
2886
2887    clientProcessRequestFinished(conn, request);
2888}
2889
2890static void
2891connStripBufferWhitespace (ConnStateData * conn)
2892{
2893    // XXX: kill this whole function.
2894    while (!conn->in.buf.isEmpty() && xisspace(conn->in.buf.at(0))) {
2895        conn->in.buf.consume(1);
2896    }
2897}
2898
2899int
2900ConnStateData::pipelinePrefetchMax() const
2901{
2902    // TODO: Support pipelined requests through pinned connections.
2903    if (pinning.pinned)
2904        return 0;
2905    return Config.pipeline_max_prefetch;
2906}
2907
2908/**
2909 * Limit the number of concurrent requests.
2910 * \return true  when there are available position(s) in the pipeline queue for another request.
2911 * \return false when the pipeline queue is full or disabled.
2912 */
2913bool
2914ConnStateData::concurrentRequestQueueFilled() const
2915{
2916    const int existingRequestCount = getConcurrentRequestCount();
2917
2918    // default to the configured pipeline size.
2919    // add 1 because the head of pipeline is counted in concurrent requests and not prefetch queue
2920#if USE_OPENSSL
2921    const int internalRequest = (transparent() && sslBumpMode == Ssl::bumpSplice) ? 1 : 0;
2922#else
2923    const int internalRequest = 0;
2924#endif
2925    const int concurrentRequestLimit = pipelinePrefetchMax() + 1 + internalRequest;
2926
2927    // when queue filled already we cant add more.
2928    if (existingRequestCount >= concurrentRequestLimit) {
2929        debugs(33, 3, clientConnection << " max concurrent requests reached (" << concurrentRequestLimit << ")");
2930        debugs(33, 5, clientConnection << " deferring new request until one is done");
2931        return true;
2932    }
2933
2934    return false;
2935}
2936
2937/**
2938 * Perform proxy_protocol_access ACL tests on the client which
2939 * connected to PROXY protocol port to see if we trust the
2940 * sender enough to accept their PROXY header claim.
2941 */
2942bool
2943ConnStateData::proxyProtocolValidateClient()
2944{
2945    if (!Config.accessList.proxyProtocol)
2946        return proxyProtocolError("PROXY client not permitted by default ACL");
2947
2948    ACLFilledChecklist ch(Config.accessList.proxyProtocol, NULL, clientConnection->rfc931);
2949    ch.src_addr = clientConnection->remote;
2950    ch.my_addr = clientConnection->local;
2951    ch.conn(this);
2952
2953    if (ch.fastCheck() != ACCESS_ALLOWED)
2954        return proxyProtocolError("PROXY client not permitted by ACLs");
2955
2956    return true;
2957}
2958
2959/**
2960 * Perform cleanup on PROXY protocol errors.
2961 * If header parsing hits a fatal error terminate the connection,
2962 * otherwise wait for more data.
2963 */
2964bool
2965ConnStateData::proxyProtocolError(const char *msg)
2966{
2967    if (msg) {
2968        // This is important to know, but maybe not so much that flooding the log is okay.
2969#if QUIET_PROXY_PROTOCOL
2970        // display the first of every 32 occurances at level 1, the others at level 2.
2971        static uint8_t hide = 0;
2972        debugs(33, (hide++ % 32 == 0 ? DBG_IMPORTANT : 2), msg << " from " << clientConnection);
2973#else
2974        debugs(33, DBG_IMPORTANT, msg << " from " << clientConnection);
2975#endif
2976        mustStop(msg);
2977    }
2978    return false;
2979}
2980
2981/// magic octet prefix for PROXY protocol version 1
2982static const SBuf Proxy1p0magic("PROXY ", 6);
2983
2984/// magic octet prefix for PROXY protocol version 2
2985static const SBuf Proxy2p0magic("\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A", 12);
2986
2987/**
2988 * Test the connection read buffer for PROXY protocol header.
2989 * Version 1 and 2 header currently supported.
2990 */
2991bool
2992ConnStateData::parseProxyProtocolHeader()
2993{
2994    // http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
2995
2996    // detect and parse PROXY/2.0 protocol header
2997    if (in.buf.startsWith(Proxy2p0magic))
2998        return parseProxy2p0();
2999
3000    // detect and parse PROXY/1.0 protocol header
3001    if (in.buf.startsWith(Proxy1p0magic))
3002        return parseProxy1p0();
3003
3004    // detect and terminate other protocols
3005    if (in.buf.length() >= Proxy2p0magic.length()) {
3006        // PROXY/1.0 magic is shorter, so we know that
3007        // the input does not start with any PROXY magic
3008        return proxyProtocolError("PROXY protocol error: invalid header");
3009    }
3010
3011    // TODO: detect short non-magic prefixes earlier to avoid
3012    // waiting for more data which may never come
3013
3014    // not enough bytes to parse yet.
3015    return false;
3016}
3017
3018/// parse the PROXY/1.0 protocol header from the connection read buffer
3019bool
3020ConnStateData::parseProxy1p0()
3021{
3022    ::Parser::Tokenizer tok(in.buf);
3023    tok.skip(Proxy1p0magic);
3024
3025    // skip to first LF (assumes it is part of CRLF)
3026    static const CharacterSet lineContent = CharacterSet::LF.complement("non-LF");
3027    SBuf line;
3028    if (tok.prefix(line, lineContent, 107-Proxy1p0magic.length())) {
3029        if (tok.skip('\n')) {
3030            // found valid header
3031            in.buf = tok.remaining();
3032            needProxyProtocolHeader_ = false;
3033            // reset the tokenizer to work on found line only.
3034            tok.reset(line);
3035        } else
3036            return false; // no LF yet
3037
3038    } else // protocol error only if there are more than 107 bytes prefix header
3039        return proxyProtocolError(in.buf.length() > 107? "PROXY/1.0 error: missing CRLF" : NULL);
3040
3041    static const SBuf unknown("UNKNOWN"), tcpName("TCP");
3042    if (tok.skip(tcpName)) {
3043
3044        // skip TCP/IP version number
3045        static const CharacterSet tcpVersions("TCP-version","46");
3046        if (!tok.skipOne(tcpVersions))
3047            return proxyProtocolError("PROXY/1.0 error: missing TCP version");
3048
3049        // skip SP after protocol version
3050        if (!tok.skip(' '))
3051            return proxyProtocolError("PROXY/1.0 error: missing SP");
3052
3053        SBuf ipa, ipb;
3054        int64_t porta, portb;
3055        static const CharacterSet ipChars = CharacterSet("IP Address",".:") + CharacterSet::HEXDIG;
3056
3057        // parse:  src-IP SP dst-IP SP src-port SP dst-port CR
3058        // leave the LF until later.
3059        const bool correct = tok.prefix(ipa, ipChars) && tok.skip(' ') &&
3060                             tok.prefix(ipb, ipChars) && tok.skip(' ') &&
3061                             tok.int64(porta) && tok.skip(' ') &&
3062                             tok.int64(portb) &&
3063                             tok.skip('\r');
3064        if (!correct)
3065            return proxyProtocolError("PROXY/1.0 error: invalid syntax");
3066
3067        // parse IP and port strings
3068        Ip::Address originalClient, originalDest;
3069
3070        if (!originalClient.GetHostByName(ipa.c_str()))
3071            return proxyProtocolError("PROXY/1.0 error: invalid src-IP address");
3072
3073        if (!originalDest.GetHostByName(ipb.c_str()))
3074            return proxyProtocolError("PROXY/1.0 error: invalid dst-IP address");
3075
3076        if (porta > 0 && porta <= 0xFFFF) // max uint16_t
3077            originalClient.port(static_cast<uint16_t>(porta));
3078        else
3079            return proxyProtocolError("PROXY/1.0 error: invalid src port");
3080
3081        if (portb > 0 && portb <= 0xFFFF) // max uint16_t
3082            originalDest.port(static_cast<uint16_t>(portb));
3083        else
3084            return proxyProtocolError("PROXY/1.0 error: invalid dst port");
3085
3086        // we have original client and destination details now
3087        // replace the client connection values
3088        debugs(33, 5, "PROXY/1.0 protocol on connection " << clientConnection);
3089        clientConnection->local = originalDest;
3090        clientConnection->remote = originalClient;
3091        if ((clientConnection->flags & COMM_TRANSPARENT))
3092            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
3093        debugs(33, 5, "PROXY/1.0 upgrade: " << clientConnection);
3094
3095        // repeat fetch ensuring the new client FQDN can be logged
3096        if (Config.onoff.log_fqdn)
3097            fqdncache_gethostbyaddr(clientConnection->remote, FQDN_LOOKUP_IF_MISS);
3098
3099        return true;
3100
3101    } else if (tok.skip(unknown)) {
3102        // found valid but unusable header
3103        return true;
3104
3105    } else
3106        return proxyProtocolError("PROXY/1.0 error: invalid protocol family");
3107
3108    return false;
3109}
3110
3111/// parse the PROXY/2.0 protocol header from the connection read buffer
3112bool
3113ConnStateData::parseProxy2p0()
3114{
3115    static const SBuf::size_type prefixLen = Proxy2p0magic.length();
3116    if (in.buf.length() < prefixLen + 4)
3117        return false; // need more bytes
3118
3119    if ((in.buf[prefixLen] & 0xF0) != 0x20) // version == 2 is mandatory
3120        return proxyProtocolError("PROXY/2.0 error: invalid version");
3121
3122    const char command = (in.buf[prefixLen] & 0x0F);
3123    if ((command & 0xFE) != 0x00) // values other than 0x0-0x1 are invalid
3124        return proxyProtocolError("PROXY/2.0 error: invalid command");
3125
3126    const char family = (in.buf[prefixLen+1] & 0xF0) >>4;
3127    if (family > 0x3) // values other than 0x0-0x3 are invalid
3128        return proxyProtocolError("PROXY/2.0 error: invalid family");
3129
3130    const char proto = (in.buf[prefixLen+1] & 0x0F);
3131    if (proto > 0x2) // values other than 0x0-0x2 are invalid
3132        return proxyProtocolError("PROXY/2.0 error: invalid protocol type");
3133
3134    const char *clen = in.buf.rawContent() + prefixLen + 2;
3135    uint16_t len;
3136    memcpy(&len, clen, sizeof(len));
3137    len = ntohs(len);
3138
3139    if (in.buf.length() < prefixLen + 4 + len)
3140        return false; // need more bytes
3141
3142    in.buf.consume(prefixLen + 4); // 4 being the extra bytes
3143    const SBuf extra = in.buf.consume(len);
3144    needProxyProtocolHeader_ = false; // found successfully
3145
3146    // LOCAL connections do nothing with the extras
3147    if (command == 0x00/* LOCAL*/)
3148        return true;
3149
3150    union pax {
3151        struct {        /* for TCP/UDP over IPv4, len = 12 */
3152            struct in_addr src_addr;
3153            struct in_addr dst_addr;
3154            uint16_t src_port;
3155            uint16_t dst_port;
3156        } ipv4_addr;
3157        struct {        /* for TCP/UDP over IPv6, len = 36 */
3158            struct in6_addr src_addr;
3159            struct in6_addr dst_addr;
3160            uint16_t src_port;
3161            uint16_t dst_port;
3162        } ipv6_addr;
3163#if NOT_SUPPORTED
3164        struct {        /* for AF_UNIX sockets, len = 216 */
3165            uint8_t src_addr[108];
3166            uint8_t dst_addr[108];
3167        } unix_addr;
3168#endif
3169    };
3170
3171    pax ipu;
3172    memcpy(&ipu, extra.rawContent(), sizeof(pax));
3173
3174    // replace the client connection values
3175    debugs(33, 5, "PROXY/2.0 protocol on connection " << clientConnection);
3176    switch (family) {
3177    case 0x1: // IPv4
3178        clientConnection->local = ipu.ipv4_addr.dst_addr;
3179        clientConnection->local.port(ntohs(ipu.ipv4_addr.dst_port));
3180        clientConnection->remote = ipu.ipv4_addr.src_addr;
3181        clientConnection->remote.port(ntohs(ipu.ipv4_addr.src_port));
3182        if ((clientConnection->flags & COMM_TRANSPARENT))
3183            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
3184        break;
3185    case 0x2: // IPv6
3186        clientConnection->local = ipu.ipv6_addr.dst_addr;
3187        clientConnection->local.port(ntohs(ipu.ipv6_addr.dst_port));
3188        clientConnection->remote = ipu.ipv6_addr.src_addr;
3189        clientConnection->remote.port(ntohs(ipu.ipv6_addr.src_port));
3190        if ((clientConnection->flags & COMM_TRANSPARENT))
3191            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
3192        break;
3193    default: // do nothing
3194        break;
3195    }
3196    debugs(33, 5, "PROXY/2.0 upgrade: " << clientConnection);
3197
3198    // repeat fetch ensuring the new client FQDN can be logged
3199    if (Config.onoff.log_fqdn)
3200        fqdncache_gethostbyaddr(clientConnection->remote, FQDN_LOOKUP_IF_MISS);
3201
3202    return true;
3203}
3204
3205/**
3206 * Attempt to parse one or more requests from the input buffer.
3207 * Returns true after completing parsing of at least one request [header]. That
3208 * includes cases where parsing ended with an error (e.g., a huge request).
3209 */
3210bool
3211ConnStateData::clientParseRequests()
3212{
3213    bool parsed_req = false;
3214
3215    debugs(33, 5, HERE << clientConnection << ": attempting to parse");
3216
3217    // Loop while we have read bytes that are not needed for producing the body
3218    // On errors, bodyPipe may become nil, but readMore will be cleared
3219    while (!in.buf.isEmpty() && !bodyPipe && flags.readMore) {
3220        connStripBufferWhitespace(this);
3221
3222        /* Don't try to parse if the buffer is empty */
3223        if (in.buf.isEmpty())
3224            break;
3225
3226        /* Limit the number of concurrent requests */
3227        if (concurrentRequestQueueFilled())
3228            break;
3229
3230        // try to parse the PROXY protocol header magic bytes
3231        if (needProxyProtocolHeader_ && !parseProxyProtocolHeader())
3232            break;
3233
3234        Http::ProtocolVersion http_ver;
3235        if (ClientSocketContext *context = parseOneRequest(http_ver)) {
3236            debugs(33, 5, clientConnection << ": done parsing a request");
3237            AsyncCall::Pointer timeoutCall = commCbCall(5, 4, "clientLifetimeTimeout",
3238                                             CommTimeoutCbPtrFun(clientLifetimeTimeout, context->http));
3239            commSetConnTimeout(clientConnection, Config.Timeout.lifetime, timeoutCall);
3240
3241            context->registerWithConn();
3242
3243            processParsedRequest(context, http_ver);
3244
3245            parsed_req = true; // XXX: do we really need to parse everything right NOW ?
3246
3247            if (context->mayUseConnection()) {
3248                debugs(33, 3, HERE << "Not parsing new requests, as this request may need the connection");
3249                break;
3250            }
3251        } else {
3252            debugs(33, 5, clientConnection << ": not enough request data: " <<
3253                   in.buf.length() << " < " << Config.maxRequestHeaderSize);
3254            Must(in.buf.length() < Config.maxRequestHeaderSize);
3255            break;
3256        }
3257    }
3258
3259    /* XXX where to 'finish' the parsing pass? */
3260    return parsed_req;
3261}
3262
3263void
3264ConnStateData::clientReadRequest(const CommIoCbParams &io)
3265{
3266    debugs(33,5, io.conn);
3267    Must(reading());
3268    reader = NULL;
3269
3270    /* Bail out quickly on Comm::ERR_CLOSING - close handlers will tidy up */
3271    if (io.flag == Comm::ERR_CLOSING) {
3272        debugs(33,5, io.conn << " closing Bailout.");
3273        return;
3274    }
3275
3276    assert(Comm::IsConnOpen(clientConnection));
3277    assert(io.conn->fd == clientConnection->fd);
3278
3279    /*
3280     * Don't reset the timeout value here. The value should be
3281     * counting Config.Timeout.request and applies to the request
3282     * as a whole, not individual read() calls.
3283     * Plus, it breaks our lame *HalfClosed() detection
3284     */
3285
3286    in.maybeMakeSpaceAvailable();
3287    CommIoCbParams rd(this); // will be expanded with ReadNow results
3288    rd.conn = io.conn;
3289    switch (Comm::ReadNow(rd, in.buf)) {
3290    case Comm::INPROGRESS:
3291        if (in.buf.isEmpty())
3292            debugs(33, 2, io.conn << ": no data to process, " << xstrerr(rd.xerrno));
3293        readSomeData();
3294        return;
3295
3296    case Comm::OK:
3297        kb_incr(&(statCounter.client_http.kbytes_in), rd.size);
3298        // may comm_close or setReplyToError
3299        if (!handleReadData())
3300            return;
3301
3302        /* Continue to process previously read data */
3303        break;
3304
3305    case Comm::ENDFILE: // close detected by 0-byte read
3306        debugs(33, 5, io.conn << " closed?");
3307
3308        if (connFinishedWithConn(rd.size)) {
3309            clientConnection->close();
3310            return;
3311        }
3312
3313        /* It might be half-closed, we can't tell */
3314        fd_table[io.conn->fd].flags.socket_eof = true;
3315        commMarkHalfClosed(io.conn->fd);
3316        fd_note(io.conn->fd, "half-closed");
3317
3318        /* There is one more close check at the end, to detect aborted
3319         * (partial) requests. At this point we can't tell if the request
3320         * is partial.
3321         */
3322
3323        /* Continue to process previously read data */
3324        break;
3325
3326    // case Comm::COMM_ERROR:
3327    default: // no other flags should ever occur
3328        debugs(33, 2, io.conn << ": got flag " << rd.flag << "; " << xstrerr(rd.xerrno));
3329        notifyAllContexts(rd.xerrno);
3330        io.conn->close();
3331        return;
3332    }
3333
3334    /* Process next request */
3335    if (getConcurrentRequestCount() == 0)
3336        fd_note(io.fd, "Reading next request");
3337
3338    if (!clientParseRequests()) {
3339        if (!isOpen())
3340            return;
3341        /*
3342         * If the client here is half closed and we failed
3343         * to parse a request, close the connection.
3344         * The above check with connFinishedWithConn() only
3345         * succeeds _if_ the buffer is empty which it won't
3346         * be if we have an incomplete request.
3347         * XXX: This duplicates ClientSocketContext::keepaliveNextRequest
3348         */
3349        if (getConcurrentRequestCount() == 0 && commIsHalfClosed(io.fd)) {
3350            debugs(33, 5, HERE << io.conn << ": half-closed connection, no completed request parsed, connection closing.");
3351            clientConnection->close();
3352            return;
3353        }
3354    }
3355
3356    if (!isOpen())
3357        return;
3358
3359    clientAfterReadingRequests();
3360}
3361
3362/**
3363 * called when new request data has been read from the socket
3364 *
3365 * \retval false called comm_close or setReplyToError (the caller should bail)
3366 * \retval true  we did not call comm_close or setReplyToError
3367 */
3368bool
3369ConnStateData::handleReadData()
3370{
3371    // if we are reading a body, stuff data into the body pipe
3372    if (bodyPipe != NULL)
3373        return handleRequestBodyData();
3374    return true;
3375}
3376
3377/**
3378 * called when new request body data has been buffered in in.buf
3379 * may close the connection if we were closing and piped everything out
3380 *
3381 * \retval false called comm_close or setReplyToError (the caller should bail)
3382 * \retval true  we did not call comm_close or setReplyToError
3383 */
3384bool
3385ConnStateData::handleRequestBodyData()
3386{
3387    assert(bodyPipe != NULL);
3388
3389    size_t putSize = 0;
3390
3391    if (in.bodyParser) { // chunked encoding
3392        if (const err_type error = handleChunkedRequestBody(putSize)) {
3393            abortChunkedRequestBody(error);
3394            return false;
3395        }
3396    } else { // identity encoding
3397        debugs(33,5, HERE << "handling plain request body for " << clientConnection);
3398        putSize = bodyPipe->putMoreData(in.buf.c_str(), in.buf.length());
3399        if (!bodyPipe->mayNeedMoreData()) {
3400            // BodyPipe will clear us automagically when we produced everything
3401            bodyPipe = NULL;
3402        }
3403    }
3404
3405    if (putSize > 0)
3406        connNoteUseOfBuffer(this, putSize);
3407
3408    if (!bodyPipe) {
3409        debugs(33,5, HERE << "produced entire request body for " << clientConnection);
3410
3411        if (const char *reason = stoppedSending()) {
3412            /* we've finished reading like good clients,
3413             * now do the close that initiateClose initiated.
3414             */
3415            debugs(33, 3, HERE << "closing for earlier sending error: " << reason);
3416            clientConnection->close();
3417            return false;
3418        }
3419    }
3420
3421    return true;
3422}
3423
3424/// parses available chunked encoded body bytes, checks size, returns errors
3425err_type
3426ConnStateData::handleChunkedRequestBody(size_t &putSize)
3427{
3428    debugs(33, 7, "chunked from " << clientConnection << ": " << in.buf.length());
3429
3430    try { // the parser will throw on errors
3431
3432        if (in.buf.isEmpty()) // nothing to do
3433            return ERR_NONE;
3434
3435        MemBuf raw; // ChunkedCodingParser only works with MemBufs
3436        // add one because MemBuf will assert if it cannot 0-terminate
3437        raw.init(in.buf.length(), in.buf.length()+1);
3438        raw.append(in.buf.c_str(), in.buf.length());
3439
3440        const mb_size_t wasContentSize = raw.contentSize();
3441        BodyPipeCheckout bpc(*bodyPipe);
3442        const bool parsed = in.bodyParser->parse(&raw, &bpc.buf);
3443        bpc.checkIn();
3444        putSize = wasContentSize - raw.contentSize();
3445
3446        // dechunk then check: the size limit applies to _dechunked_ content
3447        if (clientIsRequestBodyTooLargeForPolicy(bodyPipe->producedSize()))
3448            return ERR_TOO_BIG;
3449
3450        if (parsed) {
3451            finishDechunkingRequest(true);
3452            Must(!bodyPipe);
3453            return ERR_NONE; // nil bodyPipe implies body end for the caller
3454        }
3455
3456        // if chunk parser needs data, then the body pipe must need it too
3457        Must(!in.bodyParser->needsMoreData() || bodyPipe->mayNeedMoreData());
3458
3459        // if parser needs more space and we can consume nothing, we will stall
3460        Must(!in.bodyParser->needsMoreSpace() || bodyPipe->buf().hasContent());
3461    } catch (...) { // TODO: be more specific
3462        debugs(33, 3, HERE << "malformed chunks" << bodyPipe->status());
3463        return ERR_INVALID_REQ;
3464    }
3465
3466    debugs(33, 7, HERE << "need more chunked data" << *bodyPipe->status());
3467    return ERR_NONE;
3468}
3469
3470/// quit on errors related to chunked request body handling
3471void
3472ConnStateData::abortChunkedRequestBody(const err_type error)
3473{
3474    finishDechunkingRequest(false);
3475
3476    // XXX: The code below works if we fail during initial request parsing,
3477    // but if we fail when the server connection is used already, the server may send
3478    // us its response too, causing various assertions. How to prevent that?
3479#if WE_KNOW_HOW_TO_SEND_ERRORS
3480    ClientSocketContext::Pointer context = getCurrentContext();
3481    if (context != NULL && !context->http->out.offset) { // output nothing yet
3482        clientStreamNode *node = context->getClientReplyContext();
3483        clientReplyContext *repContext = dynamic_cast<clientReplyContext*>(node->data.getRaw());
3484        assert(repContext);
3485        const Http::StatusCode scode = (error == ERR_TOO_BIG) ?
3486                                       Http::scPayloadTooLarge : HTTP_BAD_REQUEST;
3487        repContext->setReplyToError(error, scode,
3488                                    repContext->http->request->method,
3489                                    repContext->http->uri,
3490                                    CachePeer,
3491                                    repContext->http->request,
3492                                    in.buf, NULL);
3493        context->pullData();
3494    } else {
3495        // close or otherwise we may get stuck as nobody will notice the error?
3496        comm_reset_close(clientConnection);
3497    }
3498#else
3499    debugs(33, 3, HERE << "aborting chunked request without error " << error);
3500    comm_reset_close(clientConnection);
3501#endif
3502    flags.readMore = false;
3503}
3504
3505void
3506ConnStateData::noteBodyConsumerAborted(BodyPipe::Pointer )
3507{
3508    // request reader may get stuck waiting for space if nobody consumes body
3509    if (bodyPipe != NULL)
3510        bodyPipe->enableAutoConsumption();
3511
3512    // kids extend
3513}
3514
3515/** general lifetime handler for HTTP requests */
3516void
3517ConnStateData::requestTimeout(const CommTimeoutCbParams &io)
3518{
3519    /*
3520    * Just close the connection to not confuse browsers
3521    * using persistent connections. Some browsers open
3522    * a connection and then do not use it until much
3523    * later (presumeably because the request triggering
3524    * the open has already been completed on another
3525    * connection)
3526    */
3527    debugs(33, 3, "requestTimeout: FD " << io.fd << ": lifetime is expired.");
3528    io.conn->close();
3529}
3530
3531static void
3532clientLifetimeTimeout(const CommTimeoutCbParams &io)
3533{
3534    ClientHttpRequest *http = static_cast<ClientHttpRequest *>(io.data);
3535    debugs(33, DBG_IMPORTANT, "WARNING: Closing client connection due to lifetime timeout");
3536    debugs(33, DBG_IMPORTANT, "\t" << http->uri);
3537    http->al->http.timedout = true;
3538    if (Comm::IsConnOpen(io.conn))
3539        io.conn->close();
3540}
3541
3542ConnStateData::ConnStateData(const MasterXaction::Pointer &xact) :
3543    AsyncJob("ConnStateData"), // kids overwrite
3544    nrequests(0),
3545#if USE_OPENSSL
3546    sslBumpMode(Ssl::bumpEnd),
3547#endif
3548    needProxyProtocolHeader_(false),
3549#if USE_OPENSSL
3550    switchedToHttps_(false),
3551    sslServerBump(NULL),
3552    signAlgorithm(Ssl::algSignTrusted),
3553#endif
3554    stoppedSending_(NULL),
3555    stoppedReceiving_(NULL)
3556{
3557    flags.readMore = true; // kids may overwrite
3558    flags.swanSang = false;
3559
3560    pinning.host = NULL;
3561    pinning.port = -1;
3562    pinning.pinned = false;
3563    pinning.auth = false;
3564    pinning.zeroReply = false;
3565    pinning.peer = NULL;
3566
3567    // store the details required for creating more MasterXaction objects as new requests come in
3568    clientConnection = xact->tcpClient;
3569    port = xact->squidPort;
3570    log_addr = xact->tcpClient->remote;
3571    log_addr.applyMask(Config.Addrs.client_netmask);
3572
3573    // register to receive notice of Squid signal events
3574    // which may affect long persisting client connections
3575    RegisterRunner(this);
3576}
3577
3578void
3579ConnStateData::start()
3580{
3581    BodyProducer::start();
3582    HttpControlMsgSink::start();
3583
3584    if (port->disable_pmtu_discovery != DISABLE_PMTU_OFF &&
3585            (transparent() || port->disable_pmtu_discovery == DISABLE_PMTU_ALWAYS)) {
3586#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
3587        int i = IP_PMTUDISC_DONT;
3588        if (setsockopt(clientConnection->fd, SOL_IP, IP_MTU_DISCOVER, &i, sizeof(i)) < 0)
3589            debugs(33, 2, "WARNING: Path MTU discovery disabling failed on " << clientConnection << " : " << xstrerror());
3590#else
3591        static bool reported = false;
3592
3593        if (!reported) {
3594            debugs(33, DBG_IMPORTANT, "NOTICE: Path MTU discovery disabling is not supported on your platform.");
3595            reported = true;
3596        }
3597#endif
3598    }
3599
3600    typedef CommCbMemFunT<ConnStateData, CommCloseCbParams> Dialer;
3601    AsyncCall::Pointer call = JobCallback(33, 5, Dialer, this, ConnStateData::connStateClosed);
3602    comm_add_close_handler(clientConnection->fd, call);
3603
3604    if (Config.onoff.log_fqdn)
3605        fqdncache_gethostbyaddr(clientConnection->remote, FQDN_LOOKUP_IF_MISS);
3606
3607#if USE_IDENT
3608    if (Ident::TheConfig.identLookup) {
3609        ACLFilledChecklist identChecklist(Ident::TheConfig.identLookup, NULL, NULL);
3610        identChecklist.src_addr = clientConnection->remote;
3611        identChecklist.my_addr = clientConnection->local;
3612        if (identChecklist.fastCheck() == ACCESS_ALLOWED)
3613            Ident::Start(clientConnection, clientIdentDone, this);
3614    }
3615#endif
3616
3617    clientdbEstablished(clientConnection->remote, 1);
3618
3619    needProxyProtocolHeader_ = port->flags.proxySurrogate;
3620    if (needProxyProtocolHeader_) {
3621        if (!proxyProtocolValidateClient()) // will close the connection on failure
3622            return;
3623    }
3624
3625#if USE_DELAY_POOLS
3626    fd_table[clientConnection->fd].clientInfo = NULL;
3627
3628    if (Config.onoff.client_db) {
3629        /* it was said several times that client write limiter does not work if client_db is disabled */
3630
3631        ClientDelayPools& pools(Config.ClientDelay.pools);
3632        ACLFilledChecklist ch(NULL, NULL, NULL);
3633
3634        // TODO: we check early to limit error response bandwith but we
3635        // should recheck when we can honor delay_pool_uses_indirect
3636        // TODO: we should also pass the port details for myportname here.
3637        ch.src_addr = clientConnection->remote;
3638        ch.my_addr = clientConnection->local;
3639
3640        for (unsigned int pool = 0; pool < pools.size(); ++pool) {
3641
3642            /* pools require explicit 'allow' to assign a client into them */
3643            if (pools[pool].access) {
3644                cbdataReferenceDone(ch.accessList);
3645                ch.accessList = cbdataReference(pools[pool].access);
3646                allow_t answer = ch.fastCheck();
3647                if (answer == ACCESS_ALLOWED) {
3648
3649                    /*  request client information from db after we did all checks
3650                        this will save hash lookup if client failed checks */
3651                    ClientInfo * cli = clientdbGetInfo(clientConnection->remote);
3652                    assert(cli);
3653
3654                    /* put client info in FDE */
3655                    fd_table[clientConnection->fd].clientInfo = cli;
3656
3657                    /* setup write limiter for this request */
3658                    const double burst = floor(0.5 +
3659                                               (pools[pool].highwatermark * Config.ClientDelay.initial)/100.0);
3660                    cli->setWriteLimiter(pools[pool].rate, burst, pools[pool].highwatermark);
3661                    break;
3662                } else {
3663                    debugs(83, 4, HERE << "Delay pool " << pool << " skipped because ACL " << answer);
3664                }
3665            }
3666        }
3667    }
3668#endif
3669
3670    // kids must extend to actually start doing something (e.g., reading)
3671}
3672
3673/** Handle a new connection on an HTTP socket. */
3674void
3675httpAccept(const CommAcceptCbParams &params)
3676{
3677    MasterXaction::Pointer xact = params.xaction;
3678    AnyP::PortCfgPointer s = xact->squidPort;
3679
3680    // NP: it is possible the port was reconfigured when the call or accept() was queued.
3681
3682    if (params.flag != Comm::OK) {
3683        // Its possible the call was still queued when the client disconnected
3684        debugs(33, 2, s->listenConn << ": accept failure: " << xstrerr(params.xerrno));
3685        return;
3686    }
3687
3688    debugs(33, 4, params.conn << ": accepted");
3689    fd_note(params.conn->fd, "client http connect");
3690
3691    if (s->tcp_keepalive.enabled)
3692        commSetTcpKeepalive(params.conn->fd, s->tcp_keepalive.idle, s->tcp_keepalive.interval, s->tcp_keepalive.timeout);
3693
3694    ++incoming_sockets_accepted;
3695
3696    // Socket is ready, setup the connection manager to start using it
3697    ConnStateData *connState = Http::NewServer(xact);
3698    AsyncJob::Start(connState); // usually async-calls readSomeData()
3699}
3700
3701#if USE_OPENSSL
3702
3703/** Create SSL connection structure and update fd_table */
3704static SSL *
3705httpsCreate(const Comm::ConnectionPointer &conn, SSL_CTX *sslContext)
3706{
3707    if (SSL *ssl = Ssl::CreateServer(sslContext, conn->fd, "client https start")) {
3708        debugs(33, 5, "will negotate SSL on " << conn);
3709        return ssl;
3710    }
3711
3712    conn->close();
3713    return NULL;
3714}
3715
3716static bool
3717Squid_SSL_accept(ConnStateData *conn, PF *callback)
3718{
3719    int fd = conn->clientConnection->fd;
3720    SSL *ssl = fd_table[fd].ssl;
3721    int ret;
3722
3723    errno = 0;
3724    if ((ret = SSL_accept(ssl)) <= 0) {
3725        int xerrno = errno;
3726        int ssl_error = SSL_get_error(ssl, ret);
3727
3728        switch (ssl_error) {
3729
3730        case SSL_ERROR_WANT_READ:
3731            Comm::SetSelect(fd, COMM_SELECT_READ, callback, conn, 0);
3732            return false;
3733
3734        case SSL_ERROR_WANT_WRITE:
3735            Comm::SetSelect(fd, COMM_SELECT_WRITE, callback, conn, 0);
3736            return false;
3737
3738        case SSL_ERROR_SYSCALL:
3739            if (ret == 0) {
3740                debugs(83, 2, "Error negotiating SSL connection on FD " << fd << ": Aborted by client: " << ssl_error);
3741            } else {
3742                debugs(83, (xerrno == ECONNRESET) ? 1 : 2, "Error negotiating SSL connection on FD " << fd << ": " <<
3743                       (xerrno == 0 ? ERR_error_string(ssl_error, NULL) : xstrerr(xerrno)));
3744            }
3745            conn->clientConnection->close();
3746            return false;
3747
3748        case SSL_ERROR_ZERO_RETURN:
3749            debugs(83, DBG_IMPORTANT, "Error negotiating SSL connection on FD " << fd << ": Closed by client");
3750            conn->clientConnection->close();
3751            return false;
3752
3753        default:
3754            debugs(83, DBG_IMPORTANT, "Error negotiating SSL connection on FD " <<
3755                   fd << ": " << ERR_error_string(ERR_get_error(), NULL) <<
3756                   " (" << ssl_error << "/" << ret << ")");
3757            conn->clientConnection->close();
3758            return false;
3759        }
3760
3761        /* NOTREACHED */
3762    }
3763    return true;
3764}
3765
3766/** negotiate an SSL connection */
3767static void
3768clientNegotiateSSL(int fd, void *data)
3769{
3770    ConnStateData *conn = (ConnStateData *)data;
3771    X509 *client_cert;
3772    SSL *ssl = fd_table[fd].ssl;
3773
3774    if (!Squid_SSL_accept(conn, clientNegotiateSSL))
3775        return;
3776
3777    if (SSL_session_reused(ssl)) {
3778        debugs(83, 2, "clientNegotiateSSL: Session " << SSL_get_session(ssl) <<
3779               " reused on FD " << fd << " (" << fd_table[fd].ipaddr << ":" << (int)fd_table[fd].remote_port << ")");
3780    } else {
3781        if (do_debug(83, 4)) {
3782            /* Write out the SSL session details.. actually the call below, but
3783             * OpenSSL headers do strange typecasts confusing GCC.. */
3784            /* PEM_write_SSL_SESSION(debug_log, SSL_get_session(ssl)); */
3785#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x00908000L
3786            PEM_ASN1_write((i2d_of_void *)i2d_SSL_SESSION, PEM_STRING_SSL_SESSION, debug_log, (char *)SSL_get_session(ssl), NULL,NULL,0,NULL,NULL);
3787
3788#elif (ALLOW_ALWAYS_SSL_SESSION_DETAIL == 1)
3789
3790            /* When using gcc 3.3.x and OpenSSL 0.9.7x sometimes a compile error can occur here.
3791            * This is caused by an unpredicatble gcc behaviour on a cast of the first argument
3792            * of PEM_ASN1_write(). For this reason this code section is disabled. To enable it,
3793            * define ALLOW_ALWAYS_SSL_SESSION_DETAIL=1.
3794            * Because there are two possible usable cast, if you get an error here, try the other
3795            * commented line. */
3796
3797            PEM_ASN1_write((int(*)())i2d_SSL_SESSION, PEM_STRING_SSL_SESSION, debug_log, (char *)SSL_get_session(ssl), NULL,NULL,0,NULL,NULL);
3798            /* PEM_ASN1_write((int(*)(...))i2d_SSL_SESSION, PEM_STRING_SSL_SESSION, debug_log, (char *)SSL_get_session(ssl), NULL,NULL,0,NULL,NULL); */
3799
3800#else
3801
3802            debugs(83, 4, "With " OPENSSL_VERSION_TEXT ", session details are available only defining ALLOW_ALWAYS_SSL_SESSION_DETAIL=1 in the source." );
3803
3804#endif
3805            /* Note: This does not automatically fflush the log file.. */
3806        }
3807
3808        debugs(83, 2, "clientNegotiateSSL: New session " <<
3809               SSL_get_session(ssl) << " on FD " << fd << " (" <<
3810               fd_table[fd].ipaddr << ":" << (int)fd_table[fd].remote_port <<
3811               ")");
3812    }
3813
3814    debugs(83, 3, "clientNegotiateSSL: FD " << fd << " negotiated cipher " <<
3815           SSL_get_cipher(ssl));
3816
3817    client_cert = SSL_get_peer_certificate(ssl);
3818
3819    if (client_cert != NULL) {
3820        debugs(83, 3, "clientNegotiateSSL: FD " << fd <<
3821               " client certificate: subject: " <<
3822               X509_NAME_oneline(X509_get_subject_name(client_cert), 0, 0));
3823
3824        debugs(83, 3, "clientNegotiateSSL: FD " << fd <<
3825               " client certificate: issuer: " <<
3826               X509_NAME_oneline(X509_get_issuer_name(client_cert), 0, 0));
3827
3828        X509_free(client_cert);
3829    } else {
3830        debugs(83, 5, "clientNegotiateSSL: FD " << fd <<
3831               " has no certificate.");
3832    }
3833
3834#if defined(TLSEXT_NAMETYPE_host_name)
3835    if (!conn->serverBump()) {
3836        // when in bumpClientFirst mode, get the server name from SNI
3837        if (const char *server = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))
3838            conn->resetSslCommonName(server);
3839    }
3840#endif
3841
3842    conn->readSomeData();
3843}
3844
3845/**
3846 * If SSL_CTX is given, starts reading the SSL handshake.
3847 * Otherwise, calls switchToHttps to generate a dynamic SSL_CTX.
3848 */
3849static void
3850httpsEstablish(ConnStateData *connState,  SSL_CTX *sslContext, Ssl::BumpMode bumpMode)
3851{
3852    SSL *ssl = NULL;
3853    assert(connState);
3854    const Comm::ConnectionPointer &details = connState->clientConnection;
3855
3856    if (sslContext && !(ssl = httpsCreate(details, sslContext)))
3857        return;
3858
3859    typedef CommCbMemFunT<ConnStateData, CommTimeoutCbParams> TimeoutDialer;
3860    AsyncCall::Pointer timeoutCall = JobCallback(33, 5, TimeoutDialer,
3861                                     connState, ConnStateData::requestTimeout);
3862    commSetConnTimeout(details, Config.Timeout.request, timeoutCall);
3863
3864    if (ssl)
3865        Comm::SetSelect(details->fd, COMM_SELECT_READ, clientNegotiateSSL, connState, 0);
3866    else {
3867        char buf[MAX_IPSTRLEN];
3868        assert(bumpMode != Ssl::bumpNone && bumpMode != Ssl::bumpEnd);
3869        HttpRequest::Pointer fakeRequest(new HttpRequest);
3870        fakeRequest->SetHost(details->local.toStr(buf, sizeof(buf)));
3871        fakeRequest->port = details->local.port();
3872        fakeRequest->clientConnectionManager = connState;
3873        fakeRequest->client_addr = connState->clientConnection->remote;
3874#if FOLLOW_X_FORWARDED_FOR
3875        fakeRequest->indirect_client_addr = connState->clientConnection->remote;
3876#endif
3877        fakeRequest->my_addr = connState->clientConnection->local;
3878        fakeRequest->flags.interceptTproxy = ((connState->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ;
3879        fakeRequest->flags.intercepted = ((connState->clientConnection->flags & COMM_INTERCEPTION) != 0);
3880        fakeRequest->myportname = connState->port->name;
3881        if (fakeRequest->flags.interceptTproxy) {
3882            if (Config.accessList.spoof_client_ip) {
3883                ACLFilledChecklist checklist(Config.accessList.spoof_client_ip, fakeRequest.getRaw(), NULL);
3884                fakeRequest->flags.spoofClientIp = (checklist.fastCheck() == ACCESS_ALLOWED);
3885            } else
3886                fakeRequest->flags.spoofClientIp = true;
3887        } else
3888            fakeRequest->flags.spoofClientIp = false;
3889        debugs(33, 4, HERE << details << " try to generate a Dynamic SSL CTX");
3890        connState->switchToHttps(fakeRequest.getRaw(), bumpMode);
3891    }
3892}
3893
3894/**
3895 * A callback function to use with the ACLFilledChecklist callback.
3896 * In the case of ACCESS_ALLOWED answer initializes a bumped SSL connection,
3897 * else reverts the connection to tunnel mode.
3898 */
3899static void
3900httpsSslBumpAccessCheckDone(allow_t answer, void *data)
3901{
3902    ConnStateData *connState = (ConnStateData *) data;
3903
3904    // if the connection is closed or closing, just return.
3905    if (!connState->isOpen())
3906        return;
3907
3908    // Require both a match and a positive bump mode to work around exceptional
3909    // cases where ACL code may return ACCESS_ALLOWED with zero answer.kind.
3910    if (answer == ACCESS_ALLOWED && (answer.kind != Ssl::bumpNone && answer.kind != Ssl::bumpSplice)) {
3911        debugs(33, 2, "sslBump needed for " << connState->clientConnection << " method " << answer.kind);
3912        connState->sslBumpMode = static_cast<Ssl::BumpMode>(answer.kind);
3913    } else {
3914        debugs(33, 2, HERE << "sslBump not needed for " << connState->clientConnection);
3915        connState->sslBumpMode = Ssl::bumpNone;
3916    }
3917    connState->fakeAConnectRequest("ssl-bump", connState->in.buf);
3918}
3919
3920/** handle a new HTTPS connection */
3921static void
3922httpsAccept(const CommAcceptCbParams &params)
3923{
3924    MasterXaction::Pointer xact = params.xaction;
3925    const AnyP::PortCfgPointer s = xact->squidPort;
3926
3927    // NP: it is possible the port was reconfigured when the call or accept() was queued.
3928
3929    if (params.flag != Comm::OK) {
3930        // Its possible the call was still queued when the client disconnected
3931        debugs(33, 2, "httpsAccept: " << s->listenConn << ": accept failure: " << xstrerr(params.xerrno));
3932        return;
3933    }
3934
3935    debugs(33, 4, HERE << params.conn << " accepted, starting SSL negotiation.");
3936    fd_note(params.conn->fd, "client https connect");
3937
3938    if (s->tcp_keepalive.enabled) {
3939        commSetTcpKeepalive(params.conn->fd, s->tcp_keepalive.idle, s->tcp_keepalive.interval, s->tcp_keepalive.timeout);
3940    }
3941
3942    ++incoming_sockets_accepted;
3943
3944    // Socket is ready, setup the connection manager to start using it
3945    ConnStateData *connState = Https::NewServer(xact);
3946    AsyncJob::Start(connState); // usually async-calls postHttpsAccept()
3947}
3948
3949void
3950ConnStateData::postHttpsAccept()
3951{
3952    if (port->flags.tunnelSslBumping) {
3953        debugs(33, 5, "accept transparent connection: " << clientConnection);
3954
3955        if (!Config.accessList.ssl_bump) {
3956            httpsSslBumpAccessCheckDone(ACCESS_DENIED, this);
3957            return;
3958        }
3959
3960        // Create a fake HTTP request for ssl_bump ACL check,
3961        // using tproxy/intercept provided destination IP and port.
3962        HttpRequest *request = new HttpRequest();
3963        static char ip[MAX_IPSTRLEN];
3964        assert(clientConnection->flags & (COMM_TRANSPARENT | COMM_INTERCEPTION));
3965        request->SetHost(clientConnection->local.toStr(ip, sizeof(ip)));
3966        request->port = clientConnection->local.port();
3967        request->myportname = port->name;
3968
3969        ACLFilledChecklist *acl_checklist = new ACLFilledChecklist(Config.accessList.ssl_bump, request, NULL);
3970        acl_checklist->src_addr = clientConnection->remote;
3971        acl_checklist->my_addr = port->s;
3972        acl_checklist->nonBlockingCheck(httpsSslBumpAccessCheckDone, this);
3973        return;
3974    } else {
3975        SSL_CTX *sslContext = port->staticSslContext.get();
3976        httpsEstablish(this, sslContext, Ssl::bumpNone);
3977    }
3978}
3979
3980void
3981ConnStateData::sslCrtdHandleReplyWrapper(void *data, const Helper::Reply &reply)
3982{
3983    ConnStateData * state_data = (ConnStateData *)(data);
3984    state_data->sslCrtdHandleReply(reply);
3985}
3986
3987void
3988ConnStateData::sslCrtdHandleReply(const Helper::Reply &reply)
3989{
3990    if (!isOpen()) {
3991        debugs(33, 3, "Connection gone while waiting for ssl_crtd helper reply; helper reply:" << reply);
3992        return;
3993    }
3994
3995    if (reply.result == Helper::BrokenHelper) {
3996        debugs(33, 5, HERE << "Certificate for " << sslConnectHostOrIp << " cannot be generated. ssl_crtd response: " << reply);
3997    } else if (!reply.other().hasContent()) {
3998        debugs(1, DBG_IMPORTANT, HERE << "\"ssl_crtd\" helper returned <NULL> reply.");
3999    } else {
4000        Ssl::CrtdMessage reply_message(Ssl::CrtdMessage::REPLY);
4001        if (reply_message.parse(reply.other().content(), reply.other().contentSize()) != Ssl::CrtdMessage::OK) {
4002            debugs(33, 5, HERE << "Reply from ssl_crtd for " << sslConnectHostOrIp << " is incorrect");
4003        } else {
4004            if (reply.result != Helper::Okay) {
4005                debugs(33, 5, HERE << "Certificate for " << sslConnectHostOrIp << " cannot be generated. ssl_crtd response: " << reply_message.getBody());
4006            } else {
4007                debugs(33, 5, HERE << "Certificate for " << sslConnectHostOrIp << " was successfully recieved from ssl_crtd");
4008                if (sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare)) {
4009                    doPeekAndSpliceStep();
4010                    SSL *ssl = fd_table[clientConnection->fd].ssl;
4011                    bool ret = Ssl::configureSSLUsingPkeyAndCertFromMemory(ssl, reply_message.getBody().c_str(), *port);
4012                    if (!ret)
4013                        debugs(33, 5, "Failed to set certificates to ssl object for PeekAndSplice mode");
4014                } else {
4015                    SSL_CTX *ctx = Ssl::generateSslContextUsingPkeyAndCertFromMemory(reply_message.getBody().c_str(), *port);
4016                    getSslContextDone(ctx, true);
4017                }
4018                return;
4019            }
4020        }
4021    }
4022    getSslContextDone(NULL);
4023}
4024
4025void ConnStateData::buildSslCertGenerationParams(Ssl::CertificateProperties &certProperties)
4026{
4027    certProperties.commonName =  sslCommonName_.isEmpty() ? sslConnectHostOrIp.termedBuf() : sslCommonName_.c_str();
4028
4029    // fake certificate adaptation requires bump-server-first mode
4030    if (!sslServerBump) {
4031        assert(port->signingCert.get());
4032        certProperties.signWithX509.resetAndLock(port->signingCert.get());
4033        if (port->signPkey.get())
4034            certProperties.signWithPkey.resetAndLock(port->signPkey.get());
4035        certProperties.signAlgorithm = Ssl::algSignTrusted;
4036        return;
4037    }
4038
4039    // In case of an error while connecting to the secure server, use a fake
4040    // trusted certificate, with no mimicked fields and no adaptation
4041    // algorithms. There is nothing we can mimic so we want to minimize the
4042    // number of warnings the user will have to see to get to the error page.
4043    assert(sslServerBump->entry);
4044    if (sslServerBump->entry->isEmpty()) {
4045        if (X509 *mimicCert = sslServerBump->serverCert.get())
4046            certProperties.mimicCert.resetAndLock(mimicCert);
4047
4048        ACLFilledChecklist checklist(NULL, sslServerBump->request.getRaw(),
4049                                     clientConnection != NULL ? clientConnection->rfc931 : dash_str);
4050        checklist.sslErrors = cbdataReference(sslServerBump->sslErrors);
4051
4052        for (sslproxy_cert_adapt *ca = Config.ssl_client.cert_adapt; ca != NULL; ca = ca->next) {
4053            // If the algorithm already set, then ignore it.
4054            if ((ca->alg == Ssl::algSetCommonName && certProperties.setCommonName) ||
4055                    (ca->alg == Ssl::algSetValidAfter && certProperties.setValidAfter) ||
4056                    (ca->alg == Ssl::algSetValidBefore && certProperties.setValidBefore) )
4057                continue;
4058
4059            if (ca->aclList && checklist.fastCheck(ca->aclList) == ACCESS_ALLOWED) {
4060                const char *alg = Ssl::CertAdaptAlgorithmStr[ca->alg];
4061                const char *param = ca->param;
4062
4063                // For parameterless CN adaptation, use hostname from the
4064                // CONNECT request.
4065                if (ca->alg == Ssl::algSetCommonName) {
4066                    if (!param)
4067                        param = sslConnectHostOrIp.termedBuf();
4068                    certProperties.commonName = param;
4069                    certProperties.setCommonName = true;
4070                } else if (ca->alg == Ssl::algSetValidAfter)
4071                    certProperties.setValidAfter = true;
4072                else if (ca->alg == Ssl::algSetValidBefore)
4073                    certProperties.setValidBefore = true;
4074
4075                debugs(33, 5, HERE << "Matches certificate adaptation aglorithm: " <<
4076                       alg << " param: " << (param ? param : "-"));
4077            }
4078        }
4079
4080        certProperties.signAlgorithm = Ssl::algSignEnd;
4081        for (sslproxy_cert_sign *sg = Config.ssl_client.cert_sign; sg != NULL; sg = sg->next) {
4082            if (sg->aclList && checklist.fastCheck(sg->aclList) == ACCESS_ALLOWED) {
4083                certProperties.signAlgorithm = (Ssl::CertSignAlgorithm)sg->alg;
4084                break;
4085            }
4086        }
4087    } else {// if (!sslServerBump->entry->isEmpty())
4088        // Use trusted certificate for a Squid-generated error
4089        // or the user would have to add a security exception
4090        // just to see the error page. We will close the connection
4091        // so that the trust is not extended to non-Squid content.
4092        certProperties.signAlgorithm = Ssl::algSignTrusted;
4093    }
4094
4095    assert(certProperties.signAlgorithm != Ssl::algSignEnd);
4096
4097    if (certProperties.signAlgorithm == Ssl::algSignUntrusted) {
4098        assert(port->untrustedSigningCert.get());
4099        certProperties.signWithX509.resetAndLock(port->untrustedSigningCert.get());
4100        certProperties.signWithPkey.resetAndLock(port->untrustedSignPkey.get());
4101    } else {
4102        assert(port->signingCert.get());
4103        certProperties.signWithX509.resetAndLock(port->signingCert.get());
4104
4105        if (port->signPkey.get())
4106            certProperties.signWithPkey.resetAndLock(port->signPkey.get());
4107    }
4108    signAlgorithm = certProperties.signAlgorithm;
4109
4110    certProperties.signHash = Ssl::DefaultSignHash;
4111}
4112
4113void
4114ConnStateData::getSslContextStart()
4115{
4116    assert(areAllContextsForThisConnection());
4117    freeAllContexts();
4118    /* careful: freeAllContexts() above frees request, host, etc. */
4119
4120    if (port->generateHostCertificates) {
4121        Ssl::CertificateProperties certProperties;
4122        buildSslCertGenerationParams(certProperties);
4123        sslBumpCertKey = certProperties.dbKey().c_str();
4124        assert(sslBumpCertKey.size() > 0 && sslBumpCertKey[0] != '\0');
4125
4126        // Disable caching for bumpPeekAndSplice mode
4127        if (!(sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare))) {
4128            debugs(33, 5, "Finding SSL certificate for " << sslBumpCertKey << " in cache");
4129            Ssl::LocalContextStorage * ssl_ctx_cache = Ssl::TheGlobalContextStorage.getLocalStorage(port->s);
4130            SSL_CTX * dynCtx = NULL;
4131            Ssl::SSL_CTX_Pointer *cachedCtx = ssl_ctx_cache ? ssl_ctx_cache->get(sslBumpCertKey.termedBuf()) : NULL;
4132            if (cachedCtx && (dynCtx = cachedCtx->get())) {
4133                debugs(33, 5, "SSL certificate for " << sslBumpCertKey << " found in cache");
4134                if (Ssl::verifySslCertificate(dynCtx, certProperties)) {
4135                    debugs(33, 5, "Cached SSL certificate for " << sslBumpCertKey << " is valid");
4136                    getSslContextDone(dynCtx);
4137                    return;
4138                } else {
4139                    debugs(33, 5, "Cached SSL certificate for " << sslBumpCertKey << " is out of date. Delete this certificate from cache");
4140                    if (ssl_ctx_cache)
4141                        ssl_ctx_cache->del(sslBumpCertKey.termedBuf());
4142                }
4143            } else {
4144                debugs(33, 5, "SSL certificate for " << sslBumpCertKey << " haven't found in cache");
4145            }
4146        }
4147
4148#if USE_SSL_CRTD
4149        try {
4150            debugs(33, 5, HERE << "Generating SSL certificate for " << certProperties.commonName << " using ssl_crtd.");
4151            Ssl::CrtdMessage request_message(Ssl::CrtdMessage::REQUEST);
4152            request_message.setCode(Ssl::CrtdMessage::code_new_certificate);
4153            request_message.composeRequest(certProperties);
4154            debugs(33, 5, HERE << "SSL crtd request: " << request_message.compose().c_str());
4155            Ssl::Helper::GetInstance()->sslSubmit(request_message, sslCrtdHandleReplyWrapper, this);
4156            return;
4157        } catch (const std::exception &e) {
4158            debugs(33, DBG_IMPORTANT, "ERROR: Failed to compose ssl_crtd " <<
4159                   "request for " << certProperties.commonName <<
4160                   " certificate: " << e.what() << "; will now block to " <<
4161                   "generate that certificate.");
4162            // fall through to do blocking in-process generation.
4163        }
4164#endif // USE_SSL_CRTD
4165
4166        debugs(33, 5, HERE << "Generating SSL certificate for " << certProperties.commonName);
4167        if (sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare)) {
4168            doPeekAndSpliceStep();
4169            SSL *ssl = fd_table[clientConnection->fd].ssl;
4170            if (!Ssl::configureSSL(ssl, certProperties, *port))
4171                debugs(33, 5, "Failed to set certificates to ssl object for PeekAndSplice mode");
4172        } else {
4173            SSL_CTX *dynCtx = Ssl::generateSslContext(certProperties, *port);
4174            getSslContextDone(dynCtx, true);
4175        }
4176        return;
4177    }
4178    getSslContextDone(NULL);
4179}
4180
4181void
4182ConnStateData::getSslContextDone(SSL_CTX * sslContext, bool isNew)
4183{
4184    // Try to add generated ssl context to storage.
4185    if (port->generateHostCertificates && isNew) {
4186
4187        if (signAlgorithm == Ssl::algSignTrusted) {
4188            // Add signing certificate to the certificates chain
4189            X509 *cert = port->signingCert.get();
4190            if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) {
4191                // increase the certificate lock
4192                CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509);
4193            } else {
4194                const int ssl_error = ERR_get_error();
4195                debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
4196            }
4197            Ssl::addChainToSslContext(sslContext, port->certsToChain.get());
4198        }
4199        //else it is self-signed or untrusted do not attrach any certificate
4200
4201        Ssl::LocalContextStorage *ssl_ctx_cache = Ssl::TheGlobalContextStorage.getLocalStorage(port->s);
4202        assert(sslBumpCertKey.size() > 0 && sslBumpCertKey[0] != '\0');
4203        if (sslContext) {
4204            if (!ssl_ctx_cache || !ssl_ctx_cache->add(sslBumpCertKey.termedBuf(), new Ssl::SSL_CTX_Pointer(sslContext))) {
4205                // If it is not in storage delete after using. Else storage deleted it.
4206                fd_table[clientConnection->fd].dynamicSslContext = sslContext;
4207            }
4208        } else {
4209            debugs(33, 2, HERE << "Failed to generate SSL cert for " << sslConnectHostOrIp);
4210        }
4211    }
4212
4213    // If generated ssl context = NULL, try to use static ssl context.
4214    if (!sslContext) {
4215        if (!port->staticSslContext) {
4216            debugs(83, DBG_IMPORTANT, "Closing SSL " << clientConnection->remote << " as lacking SSL context");
4217            clientConnection->close();
4218            return;
4219        } else {
4220            debugs(33, 5, HERE << "Using static ssl context.");
4221            sslContext = port->staticSslContext.get();
4222        }
4223    }
4224
4225    if (!httpsCreate(clientConnection, sslContext))
4226        return;
4227
4228    // bumped intercepted conns should already have Config.Timeout.request set
4229    // but forwarded connections may only have Config.Timeout.lifetime. [Re]set
4230    // to make sure the connection does not get stuck on non-SSL clients.
4231    typedef CommCbMemFunT<ConnStateData, CommTimeoutCbParams> TimeoutDialer;
4232    AsyncCall::Pointer timeoutCall = JobCallback(33, 5, TimeoutDialer,
4233                                     this, ConnStateData::requestTimeout);
4234    commSetConnTimeout(clientConnection, Config.Timeout.request, timeoutCall);
4235
4236    // Disable the client read handler until CachePeer selection is complete
4237    Comm::SetSelect(clientConnection->fd, COMM_SELECT_READ, NULL, NULL, 0);
4238    Comm::SetSelect(clientConnection->fd, COMM_SELECT_READ, clientNegotiateSSL, this, 0);
4239    switchedToHttps_ = true;
4240}
4241
4242void
4243ConnStateData::switchToHttps(HttpRequest *request, Ssl::BumpMode bumpServerMode)
4244{
4245    assert(!switchedToHttps_);
4246
4247    sslConnectHostOrIp = request->GetHost();
4248    resetSslCommonName(request->GetHost());
4249
4250    // We are going to read new request
4251    flags.readMore = true;
4252    debugs(33, 5, HERE << "converting " << clientConnection << " to SSL");
4253
4254    // If sslServerBump is set, then we have decided to deny CONNECT
4255    // and now want to switch to SSL to send the error to the client
4256    // without even peeking at the origin server certificate.
4257    if (bumpServerMode == Ssl::bumpServerFirst && !sslServerBump) {
4258        request->flags.sslPeek = true;
4259        sslServerBump = new Ssl::ServerBump(request);
4260
4261        // will call httpsPeeked() with certificate and connection, eventually
4262        FwdState::fwdStart(clientConnection, sslServerBump->entry, sslServerBump->request.getRaw());
4263        return;
4264    } else if (bumpServerMode == Ssl::bumpPeek || bumpServerMode == Ssl::bumpStare) {
4265        request->flags.sslPeek = true;
4266        sslServerBump = new Ssl::ServerBump(request, NULL, bumpServerMode);
4267        startPeekAndSplice();
4268        return;
4269    }
4270
4271    // otherwise, use sslConnectHostOrIp
4272    getSslContextStart();
4273}
4274
4275/** negotiate an SSL connection */
4276static void
4277clientPeekAndSpliceSSL(int fd, void *data)
4278{
4279    ConnStateData *conn = (ConnStateData *)data;
4280    SSL *ssl = fd_table[fd].ssl;
4281
4282    debugs(83, 5, "Start peek and splice on FD " << fd);
4283
4284    if (!Squid_SSL_accept(conn, clientPeekAndSpliceSSL))
4285        debugs(83, 2, "SSL_accept failed.");
4286
4287    BIO *b = SSL_get_rbio(ssl);
4288    assert(b);
4289    Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(b->ptr);
4290    if (bio->gotHello()) {
4291        if (conn->serverBump()) {
4292            Ssl::Bio::sslFeatures const &features = bio->getFeatures();
4293            if (!features.serverName.isEmpty()) {
4294                conn->serverBump()->clientSni = features.serverName;
4295                conn->resetSslCommonName(features.serverName.c_str());
4296            }
4297        }
4298
4299        debugs(83, 5, "I got hello. Start forwarding the request!!! ");
4300        Comm::SetSelect(fd, COMM_SELECT_READ, NULL, NULL, 0);
4301        Comm::SetSelect(fd, COMM_SELECT_WRITE, NULL, NULL, 0);
4302        conn->startPeekAndSpliceDone();
4303        return;
4304    }
4305}
4306
4307void ConnStateData::startPeekAndSplice()
4308{
4309    // will call httpsPeeked() with certificate and connection, eventually
4310    SSL_CTX *unConfiguredCTX = Ssl::createSSLContext(port->signingCert, port->signPkey, *port);
4311    fd_table[clientConnection->fd].dynamicSslContext = unConfiguredCTX;
4312
4313    if (!httpsCreate(clientConnection, unConfiguredCTX))
4314        return;
4315
4316    // commSetConnTimeout() was called for this request before we switched.
4317
4318    // Disable the client read handler until CachePeer selection is complete
4319    Comm::SetSelect(clientConnection->fd, COMM_SELECT_READ, NULL, NULL, 0);
4320    Comm::SetSelect(clientConnection->fd, COMM_SELECT_READ, clientPeekAndSpliceSSL, this, 0);
4321    switchedToHttps_ = true;
4322
4323    SSL *ssl = fd_table[clientConnection->fd].ssl;
4324    BIO *b = SSL_get_rbio(ssl);
4325    Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(b->ptr);
4326    bio->hold(true);
4327}
4328
4329void httpsSslBumpStep2AccessCheckDone(allow_t answer, void *data)
4330{
4331    ConnStateData *connState = (ConnStateData *) data;
4332
4333    // if the connection is closed or closing, just return.
4334    if (!connState->isOpen())
4335        return;
4336
4337    debugs(33, 5, "Answer: " << answer << " kind:" << answer.kind);
4338    assert(connState->serverBump());
4339    Ssl::BumpMode bumpAction;
4340    if (answer == ACCESS_ALLOWED) {
4341        bumpAction = (Ssl::BumpMode)answer.kind;
4342    } else
4343        bumpAction = Ssl::bumpSplice;
4344
4345    connState->serverBump()->act.step2 = bumpAction;
4346    connState->sslBumpMode = bumpAction;
4347
4348    if (bumpAction == Ssl::bumpTerminate) {
4349        connState->clientConnection->close();
4350    } else if (bumpAction != Ssl::bumpSplice) {
4351        connState->startPeekAndSpliceDone();
4352    } else {
4353        //Normally we can splice here, because we just got client hello message
4354        SSL *ssl = fd_table[connState->clientConnection->fd].ssl;
4355        BIO *b = SSL_get_rbio(ssl);
4356        Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(b->ptr);
4357        MemBuf const &rbuf = bio->rBufData();
4358        debugs(83,5, "Bio for  " << connState->clientConnection << " read " << rbuf.contentSize() << " helo bytes");
4359        // Do splice:
4360        fd_table[connState->clientConnection->fd].read_method = &default_read_method;
4361        fd_table[connState->clientConnection->fd].write_method = &default_write_method;
4362
4363        if (connState->transparent()) {
4364            // fake a CONNECT request to force connState to tunnel
4365            // XXX: copy from MemBuf reallocates, not a regression since old code did too
4366            SBuf temp;
4367            temp.append(rbuf.content(), rbuf.contentSize());
4368            connState->fakeAConnectRequest("intercepted TLS spliced", temp);
4369        } else {
4370            // in.buf still has the "CONNECT ..." request data, reset it to SSL hello message
4371            connState->in.buf.append(rbuf.content(), rbuf.contentSize());
4372            ClientSocketContext::Pointer context = connState->getCurrentContext();
4373            ClientHttpRequest *http = context->http;
4374            tunnelStart(http, &http->out.size, &http->al->http.code, http->al);
4375        }
4376    }
4377}
4378
4379void
4380ConnStateData::startPeekAndSpliceDone()
4381{
4382    // This is the Step2 of the SSL bumping
4383    assert(sslServerBump);
4384    if (sslServerBump->step == Ssl::bumpStep1) {
4385        sslServerBump->step = Ssl::bumpStep2;
4386        // Run a accessList check to check if want to splice or continue bumping
4387
4388        ACLFilledChecklist *acl_checklist = new ACLFilledChecklist(Config.accessList.ssl_bump, sslServerBump->request.getRaw(), NULL);
4389        //acl_checklist->src_addr = params.conn->remote;
4390        //acl_checklist->my_addr = s->s;
4391        acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpNone));
4392        acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpClientFirst));
4393        acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpServerFirst));
4394        acl_checklist->nonBlockingCheck(httpsSslBumpStep2AccessCheckDone, this);
4395        return;
4396    }
4397
4398    FwdState::fwdStart(clientConnection, sslServerBump->entry, sslServerBump->request.getRaw());
4399}
4400
4401void
4402ConnStateData::doPeekAndSpliceStep()
4403{
4404    SSL *ssl = fd_table[clientConnection->fd].ssl;
4405    BIO *b = SSL_get_rbio(ssl);
4406    assert(b);
4407    Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(b->ptr);
4408
4409    debugs(33, 5, "PeekAndSplice mode, proceed with client negotiation. Currrent state:" << SSL_state_string_long(ssl));
4410    bio->hold(false);
4411
4412    Comm::SetSelect(clientConnection->fd, COMM_SELECT_WRITE, clientNegotiateSSL, this, 0);
4413    switchedToHttps_ = true;
4414}
4415
4416void
4417ConnStateData::httpsPeeked(Comm::ConnectionPointer serverConnection)
4418{
4419    Must(sslServerBump != NULL);
4420
4421    if (Comm::IsConnOpen(serverConnection)) {
4422        pinConnection(serverConnection, NULL, NULL, false);
4423
4424        debugs(33, 5, HERE << "bumped HTTPS server: " << sslConnectHostOrIp);
4425    } else {
4426        debugs(33, 5, HERE << "Error while bumping: " << sslConnectHostOrIp);
4427
4428        //  copy error detail from bump-server-first request to CONNECT request
4429        if (currentobject != NULL && currentobject->http != NULL && currentobject->http->request)
4430            currentobject->http->request->detailError(sslServerBump->request->errType, sslServerBump->request->errDetail);
4431    }
4432
4433    getSslContextStart();
4434}
4435
4436#endif /* USE_OPENSSL */
4437
4438void
4439ConnStateData::fakeAConnectRequest(const char *reason, const SBuf &payload)
4440{
4441    // fake a CONNECT request to force connState to tunnel
4442    SBuf connectHost;
4443#if USE_OPENSSL
4444    if (serverBump() && !serverBump()->clientSni.isEmpty()) {
4445        connectHost.assign(serverBump()->clientSni);
4446        if (clientConnection->local.port() > 0)
4447            connectHost.appendf(":%d",clientConnection->local.port());
4448    } else
4449#endif
4450    {
4451        static char ip[MAX_IPSTRLEN];
4452        connectHost.assign(clientConnection->local.toUrl(ip, sizeof(ip)));
4453    }
4454    // Pre-pend this fake request to the TLS bits already in the buffer
4455    SBuf retStr;
4456    retStr.append("CONNECT ");
4457    retStr.append(connectHost);
4458    retStr.append(" HTTP/1.1\r\nHost: ");
4459    retStr.append(connectHost);
4460    retStr.append("\r\n\r\n");
4461    retStr.append(payload);
4462    in.buf = retStr;
4463    bool ret = handleReadData();
4464    if (ret)
4465        ret = clientParseRequests();
4466
4467    if (!ret) {
4468        debugs(33, 2, "Failed to start fake CONNECT request for " << reason << " connection: " << clientConnection);
4469        clientConnection->close();
4470    }
4471}
4472
4473/// check FD after clientHttp[s]ConnectionOpened, adjust HttpSockets as needed
4474static bool
4475OpenedHttpSocket(const Comm::ConnectionPointer &c, const Ipc::FdNoteId portType)
4476{
4477    if (!Comm::IsConnOpen(c)) {
4478        Must(NHttpSockets > 0); // we tried to open some
4479        --NHttpSockets; // there will be fewer sockets than planned
4480        Must(HttpSockets[NHttpSockets] < 0); // no extra fds received
4481
4482        if (!NHttpSockets) // we could not open any listen sockets at all
4483            fatalf("Unable to open %s",FdNote(portType));
4484
4485        return false;
4486    }
4487    return true;
4488}
4489
4490/// find any unused HttpSockets[] slot and store fd there or return false
4491static bool
4492AddOpenedHttpSocket(const Comm::ConnectionPointer &conn)
4493{
4494    bool found = false;
4495    for (int i = 0; i < NHttpSockets && !found; ++i) {
4496        if ((found = HttpSockets[i] < 0))
4497            HttpSockets[i] = conn->fd;
4498    }
4499    return found;
4500}
4501
4502static void
4503clientHttpConnectionsOpen(void)
4504{
4505    for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) {
4506        if (MAXTCPLISTENPORTS == NHttpSockets) {
4507            debugs(1, DBG_IMPORTANT, "WARNING: You have too many 'http_port' lines.");
4508            debugs(1, DBG_IMPORTANT, "         The limit is " << MAXTCPLISTENPORTS << " HTTP ports.");
4509            continue;
4510        }
4511
4512#if USE_OPENSSL
4513        if (s->flags.tunnelSslBumping && !Config.accessList.ssl_bump) {
4514            debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << AnyP::UriScheme(s->transport.protocol) << "_port " << s->s);
4515            s->flags.tunnelSslBumping = false;
4516        }
4517
4518        if (s->flags.tunnelSslBumping &&
4519                !s->staticSslContext &&
4520                !s->generateHostCertificates) {
4521            debugs(1, DBG_IMPORTANT, "Will not bump SSL at http_port " << s->s << " due to SSL initialization failure.");
4522            s->flags.tunnelSslBumping = false;
4523        }
4524        if (s->flags.tunnelSslBumping) {
4525            // Create ssl_ctx cache for this port.
4526            Ssl::TheGlobalContextStorage.addLocalStorage(s->s, s->dynamicCertMemCacheSize == std::numeric_limits<size_t>::max() ? 4194304 : s->dynamicCertMemCacheSize);
4527        }
4528#endif
4529
4530        // Fill out a Comm::Connection which IPC will open as a listener for us
4531        //  then pass back when active so we can start a TcpAcceptor subscription.
4532        s->listenConn = new Comm::Connection;
4533        s->listenConn->local = s->s;
4534        s->listenConn->flags = COMM_NONBLOCKING | (s->flags.tproxyIntercept ? COMM_TRANSPARENT : 0) | (s->flags.natIntercept ? COMM_INTERCEPTION : 0);
4535
4536        // setup the subscriptions such that new connections accepted by listenConn are handled by HTTP
4537        typedef CommCbFunPtrCallT<CommAcceptCbPtrFun> AcceptCall;
4538        RefCount<AcceptCall> subCall = commCbCall(5, 5, "httpAccept", CommAcceptCbPtrFun(httpAccept, CommAcceptCbParams(NULL)));
4539        Subscription::Pointer sub = new CallSubscription<AcceptCall>(subCall);
4540
4541        AsyncCall::Pointer listenCall = asyncCall(33,2, "clientListenerConnectionOpened",
4542                                        ListeningStartedDialer(&clientListenerConnectionOpened, s, Ipc::fdnHttpSocket, sub));
4543        Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, s->listenConn, Ipc::fdnHttpSocket, listenCall);
4544
4545        HttpSockets[NHttpSockets] = -1; // set in clientListenerConnectionOpened
4546        ++NHttpSockets;
4547    }
4548}
4549
4550#if USE_OPENSSL
4551static void
4552clientHttpsConnectionsOpen(void)
4553{
4554    for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s->next) {
4555        if (MAXTCPLISTENPORTS == NHttpSockets) {
4556            debugs(1, DBG_IMPORTANT, "Ignoring 'https_port' lines exceeding the limit.");
4557            debugs(1, DBG_IMPORTANT, "The limit is " << MAXTCPLISTENPORTS << " HTTPS ports.");
4558            continue;
4559        }
4560
4561        if (!s->staticSslContext) {
4562            debugs(1, DBG_IMPORTANT, "Ignoring https_port " << s->s <<
4563                   " due to SSL initialization failure.");
4564            continue;
4565        }
4566
4567        // TODO: merge with similar code in clientHttpConnectionsOpen()
4568        if (s->flags.tunnelSslBumping && !Config.accessList.ssl_bump) {
4569            debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << AnyP::UriScheme(s->transport.protocol) << "_port " << s->s);
4570            s->flags.tunnelSslBumping = false;
4571        }
4572
4573        if (s->flags.tunnelSslBumping && !s->staticSslContext && !s->generateHostCertificates) {
4574            debugs(1, DBG_IMPORTANT, "Will not bump SSL at https_port " << s->s << " due to SSL initialization failure.");
4575            s->flags.tunnelSslBumping = false;
4576        }
4577
4578        if (s->flags.tunnelSslBumping) {
4579            // Create ssl_ctx cache for this port.
4580            Ssl::TheGlobalContextStorage.addLocalStorage(s->s, s->dynamicCertMemCacheSize == std::numeric_limits<size_t>::max() ? 4194304 : s->dynamicCertMemCacheSize);
4581        }
4582
4583        // Fill out a Comm::Connection which IPC will open as a listener for us
4584        s->listenConn = new Comm::Connection;
4585        s->listenConn->local = s->s;
4586        s->listenConn->flags = COMM_NONBLOCKING | (s->flags.tproxyIntercept ? COMM_TRANSPARENT : 0) |
4587                               (s->flags.natIntercept ? COMM_INTERCEPTION : 0);
4588
4589        // setup the subscriptions such that new connections accepted by listenConn are handled by HTTPS
4590        typedef CommCbFunPtrCallT<CommAcceptCbPtrFun> AcceptCall;
4591        RefCount<AcceptCall> subCall = commCbCall(5, 5, "httpsAccept", CommAcceptCbPtrFun(httpsAccept, CommAcceptCbParams(NULL)));
4592        Subscription::Pointer sub = new CallSubscription<AcceptCall>(subCall);
4593
4594        AsyncCall::Pointer listenCall = asyncCall(33, 2, "clientListenerConnectionOpened",
4595                                        ListeningStartedDialer(&clientListenerConnectionOpened,
4596                                                s, Ipc::fdnHttpsSocket, sub));
4597        Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, s->listenConn, Ipc::fdnHttpsSocket, listenCall);
4598        HttpSockets[NHttpSockets] = -1;
4599        ++NHttpSockets;
4600    }
4601}
4602#endif
4603
4604void
4605clientStartListeningOn(AnyP::PortCfgPointer &port, const RefCount< CommCbFunPtrCallT<CommAcceptCbPtrFun> > &subCall, const Ipc::FdNoteId fdNote)
4606{
4607    // Fill out a Comm::Connection which IPC will open as a listener for us
4608    port->listenConn = new Comm::Connection;
4609    port->listenConn->local = port->s;
4610    port->listenConn->flags =
4611        COMM_NONBLOCKING |
4612        (port->flags.tproxyIntercept ? COMM_TRANSPARENT : 0) |
4613        (port->flags.natIntercept ? COMM_INTERCEPTION : 0);
4614
4615    // route new connections to subCall
4616    typedef CommCbFunPtrCallT<CommAcceptCbPtrFun> AcceptCall;
4617    Subscription::Pointer sub = new CallSubscription<AcceptCall>(subCall);
4618    AsyncCall::Pointer listenCall =
4619        asyncCall(33, 2, "clientListenerConnectionOpened",
4620                  ListeningStartedDialer(&clientListenerConnectionOpened,
4621                                         port, fdNote, sub));
4622    Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, port->listenConn, fdNote, listenCall);
4623
4624    assert(NHttpSockets < MAXTCPLISTENPORTS);
4625    HttpSockets[NHttpSockets] = -1;
4626    ++NHttpSockets;
4627}
4628
4629/// process clientHttpConnectionsOpen result
4630static void
4631clientListenerConnectionOpened(AnyP::PortCfgPointer &s, const Ipc::FdNoteId portTypeNote, const Subscription::Pointer &sub)
4632{
4633    Must(s != NULL);
4634
4635    if (!OpenedHttpSocket(s->listenConn, portTypeNote))
4636        return;
4637
4638    Must(Comm::IsConnOpen(s->listenConn));
4639
4640    // TCP: setup a job to handle accept() with subscribed handler
4641    AsyncJob::Start(new Comm::TcpAcceptor(s, FdNote(portTypeNote), sub));
4642
4643    debugs(1, DBG_IMPORTANT, "Accepting " <<
4644           (s->flags.natIntercept ? "NAT intercepted " : "") <<
4645           (s->flags.tproxyIntercept ? "TPROXY intercepted " : "") <<
4646           (s->flags.tunnelSslBumping ? "SSL bumped " : "") <<
4647           (s->flags.accelSurrogate ? "reverse-proxy " : "")
4648           << FdNote(portTypeNote) << " connections at "
4649           << s->listenConn);
4650
4651    Must(AddOpenedHttpSocket(s->listenConn)); // otherwise, we have received a fd we did not ask for
4652}
4653
4654void
4655clientOpenListenSockets(void)
4656{
4657    clientHttpConnectionsOpen();
4658#if USE_OPENSSL
4659    clientHttpsConnectionsOpen();
4660#endif
4661    Ftp::StartListening();
4662
4663    if (NHttpSockets < 1)
4664        fatal("No HTTP, HTTPS, or FTP ports configured");
4665}
4666
4667void
4668clientConnectionsClose()
4669{
4670    for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) {
4671        if (s->listenConn != NULL) {
4672            debugs(1, DBG_IMPORTANT, "Closing HTTP port " << s->listenConn->local);
4673            s->listenConn->close();
4674            s->listenConn = NULL;
4675        }
4676    }
4677
4678#if USE_OPENSSL
4679    for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s->next) {
4680        if (s->listenConn != NULL) {
4681            debugs(1, DBG_IMPORTANT, "Closing HTTPS port " << s->listenConn->local);
4682            s->listenConn->close();
4683            s->listenConn = NULL;
4684        }
4685    }
4686#endif
4687
4688    Ftp::StopListening();
4689
4690    // TODO see if we can drop HttpSockets array entirely */
4691    for (int i = 0; i < NHttpSockets; ++i) {
4692        HttpSockets[i] = -1;
4693    }
4694
4695    NHttpSockets = 0;
4696}
4697
4698int
4699varyEvaluateMatch(StoreEntry * entry, HttpRequest * request)
4700{
4701    const char *vary = request->vary_headers;
4702    int has_vary = entry->getReply()->header.has(HDR_VARY);
4703#if X_ACCELERATOR_VARY
4704
4705    has_vary |=
4706        entry->getReply()->header.has(HDR_X_ACCELERATOR_VARY);
4707#endif
4708
4709    if (!has_vary || !entry->mem_obj->vary_headers) {
4710        if (vary) {
4711            /* Oops... something odd is going on here.. */
4712            debugs(33, DBG_IMPORTANT, "varyEvaluateMatch: Oops. Not a Vary object on second attempt, '" <<
4713                   entry->mem_obj->urlXXX() << "' '" << vary << "'");
4714            safe_free(request->vary_headers);
4715            return VARY_CANCEL;
4716        }
4717
4718        if (!has_vary) {
4719            /* This is not a varying object */
4720            return VARY_NONE;
4721        }
4722
4723        /* virtual "vary" object found. Calculate the vary key and
4724         * continue the search
4725         */
4726        vary = httpMakeVaryMark(request, entry->getReply());
4727
4728        if (vary) {
4729            request->vary_headers = xstrdup(vary);
4730            return VARY_OTHER;
4731        } else {
4732            /* Ouch.. we cannot handle this kind of variance */
4733            /* XXX This cannot really happen, but just to be complete */
4734            return VARY_CANCEL;
4735        }
4736    } else {
4737        if (!vary) {
4738            vary = httpMakeVaryMark(request, entry->getReply());
4739
4740            if (vary)
4741                request->vary_headers = xstrdup(vary);
4742        }
4743
4744        if (!vary) {
4745            /* Ouch.. we cannot handle this kind of variance */
4746            /* XXX This cannot really happen, but just to be complete */
4747            return VARY_CANCEL;
4748        } else if (strcmp(vary, entry->mem_obj->vary_headers) == 0) {
4749            return VARY_MATCH;
4750        } else {
4751            /* Oops.. we have already been here and still haven't
4752             * found the requested variant. Bail out
4753             */
4754            debugs(33, DBG_IMPORTANT, "varyEvaluateMatch: Oops. Not a Vary match on second attempt, '" <<
4755                   entry->mem_obj->urlXXX() << "' '" << vary << "'");
4756            return VARY_CANCEL;
4757        }
4758    }
4759}
4760
4761ACLFilledChecklist *
4762clientAclChecklistCreate(const acl_access * acl, ClientHttpRequest * http)
4763{
4764    ConnStateData * conn = http->getConn();
4765    ACLFilledChecklist *ch = new ACLFilledChecklist(acl, http->request,
4766            cbdataReferenceValid(conn) && conn != NULL && conn->clientConnection != NULL ? conn->clientConnection->rfc931 : dash_str);
4767    ch->al = http->al;
4768    /*
4769     * hack for ident ACL. It needs to get full addresses, and a place to store
4770     * the ident result on persistent connections...
4771     */
4772    /* connection oriented auth also needs these two lines for it's operation. */
4773    return ch;
4774}
4775
4776bool
4777ConnStateData::transparent() const
4778{
4779    return clientConnection != NULL && (clientConnection->flags & (COMM_TRANSPARENT|COMM_INTERCEPTION));
4780}
4781
4782bool
4783ConnStateData::reading() const
4784{
4785    return reader != NULL;
4786}
4787
4788void
4789ConnStateData::stopReading()
4790{
4791    if (reading()) {
4792        Comm::ReadCancel(clientConnection->fd, reader);
4793        reader = NULL;
4794    }
4795}
4796
4797BodyPipe::Pointer
4798ConnStateData::expectRequestBody(int64_t size)
4799{
4800    bodyPipe = new BodyPipe(this);
4801    if (size >= 0)
4802        bodyPipe->setBodySize(size);
4803    else
4804        startDechunkingRequest();
4805    return bodyPipe;
4806}
4807
4808int64_t
4809ConnStateData::mayNeedToReadMoreBody() const
4810{
4811    if (!bodyPipe)
4812        return 0; // request without a body or read/produced all body bytes
4813
4814    if (!bodyPipe->bodySizeKnown())
4815        return -1; // probably need to read more, but we cannot be sure
4816
4817    const int64_t needToProduce = bodyPipe->unproducedSize();
4818    const int64_t haveAvailable = static_cast<int64_t>(in.buf.length());
4819
4820    if (needToProduce <= haveAvailable)
4821        return 0; // we have read what we need (but are waiting for pipe space)
4822
4823    return needToProduce - haveAvailable;
4824}
4825
4826void
4827ConnStateData::stopReceiving(const char *error)
4828{
4829    debugs(33, 4, HERE << "receiving error (" << clientConnection << "): " << error <<
4830           "; old sending error: " <<
4831           (stoppedSending() ? stoppedSending_ : "none"));
4832
4833    if (const char *oldError = stoppedReceiving()) {
4834        debugs(33, 3, HERE << "already stopped receiving: " << oldError);
4835        return; // nothing has changed as far as this connection is concerned
4836    }
4837
4838    stoppedReceiving_ = error;
4839
4840    if (const char *sendError = stoppedSending()) {
4841        debugs(33, 3, HERE << "closing because also stopped sending: " << sendError);
4842        clientConnection->close();
4843    }
4844}
4845
4846void
4847ConnStateData::expectNoForwarding()
4848{
4849    if (bodyPipe != NULL) {
4850        debugs(33, 4, HERE << "no consumer for virgin body " << bodyPipe->status());
4851        bodyPipe->expectNoConsumption();
4852    }
4853}
4854
4855/// initialize dechunking state
4856void
4857ConnStateData::startDechunkingRequest()
4858{
4859    Must(bodyPipe != NULL);
4860    debugs(33, 5, HERE << "start dechunking" << bodyPipe->status());
4861    assert(!in.bodyParser);
4862    in.bodyParser = new ChunkedCodingParser;
4863}
4864
4865/// put parsed content into input buffer and clean up
4866void
4867ConnStateData::finishDechunkingRequest(bool withSuccess)
4868{
4869    debugs(33, 5, HERE << "finish dechunking: " << withSuccess);
4870
4871    if (bodyPipe != NULL) {
4872        debugs(33, 7, HERE << "dechunked tail: " << bodyPipe->status());
4873        BodyPipe::Pointer myPipe = bodyPipe;
4874        stopProducingFor(bodyPipe, withSuccess); // sets bodyPipe->bodySize()
4875        Must(!bodyPipe); // we rely on it being nil after we are done with body
4876        if (withSuccess) {
4877            Must(myPipe->bodySizeKnown());
4878            ClientSocketContext::Pointer context = getCurrentContext();
4879            if (context != NULL && context->http && context->http->request)
4880                context->http->request->setContentLength(myPipe->bodySize());
4881        }
4882    }
4883
4884    delete in.bodyParser;
4885    in.bodyParser = NULL;
4886}
4887
4888ConnStateData::In::In() :
4889    bodyParser(NULL),
4890    buf()
4891{}
4892
4893ConnStateData::In::~In()
4894{
4895    delete bodyParser; // TODO: pool
4896}
4897
4898void
4899ConnStateData::sendControlMsg(HttpControlMsg msg)
4900{
4901    if (!isOpen()) {
4902        debugs(33, 3, HERE << "ignoring 1xx due to earlier closure");
4903        return;
4904    }
4905
4906    ClientSocketContext::Pointer context = getCurrentContext();
4907    if (context != NULL) {
4908        context->writeControlMsg(msg); // will call msg.cbSuccess
4909        return;
4910    }
4911
4912    debugs(33, 3, HERE << " closing due to missing context for 1xx");
4913    clientConnection->close();
4914}
4915
4916/// Our close handler called by Comm when the pinned connection is closed
4917void
4918ConnStateData::clientPinnedConnectionClosed(const CommCloseCbParams &io)
4919{
4920    // FwdState might repin a failed connection sooner than this close
4921    // callback is called for the failed connection.
4922    assert(pinning.serverConnection == io.conn);
4923    pinning.closeHandler = NULL; // Comm unregisters handlers before calling
4924    const bool sawZeroReply = pinning.zeroReply; // reset when unpinning
4925    pinning.serverConnection->noteClosure();
4926    unpinConnection(false);
4927
4928    if (sawZeroReply && clientConnection != NULL) {
4929        debugs(33, 3, "Closing client connection on pinned zero reply.");
4930        clientConnection->close();
4931    }
4932
4933}
4934
4935void
4936ConnStateData::pinConnection(const Comm::ConnectionPointer &pinServer, HttpRequest *request, CachePeer *aPeer, bool auth, bool monitor)
4937{
4938    if (!Comm::IsConnOpen(pinning.serverConnection) ||
4939            pinning.serverConnection->fd != pinServer->fd)
4940        pinNewConnection(pinServer, request, aPeer, auth);
4941
4942    if (monitor)
4943        startPinnedConnectionMonitoring();
4944}
4945
4946void
4947ConnStateData::pinNewConnection(const Comm::ConnectionPointer &pinServer, HttpRequest *request, CachePeer *aPeer, bool auth)
4948{
4949    unpinConnection(true); // closes pinned connection, if any, and resets fields
4950
4951    pinning.serverConnection = pinServer;
4952
4953    debugs(33, 3, HERE << pinning.serverConnection);
4954
4955    Must(pinning.serverConnection != NULL);
4956
4957    // when pinning an SSL bumped connection, the request may be NULL
4958    const char *pinnedHost = "[unknown]";
4959    if (request) {
4960        pinning.host = xstrdup(request->GetHost());
4961        pinning.port = request->port;
4962        pinnedHost = pinning.host;
4963    } else {
4964        pinning.port = pinServer->remote.port();
4965    }
4966    pinning.pinned = true;
4967    if (aPeer)
4968        pinning.peer = cbdataReference(aPeer);
4969    pinning.auth = auth;
4970    char stmp[MAX_IPSTRLEN];
4971    char desc[FD_DESC_SZ];
4972    snprintf(desc, FD_DESC_SZ, "%s pinned connection for %s (%d)",
4973             (auth || !aPeer) ? pinnedHost : aPeer->name,
4974             clientConnection->remote.toUrl(stmp,MAX_IPSTRLEN),
4975             clientConnection->fd);
4976    fd_note(pinning.serverConnection->fd, desc);
4977
4978    typedef CommCbMemFunT<ConnStateData, CommCloseCbParams> Dialer;
4979    pinning.closeHandler = JobCallback(33, 5,
4980                                       Dialer, this, ConnStateData::clientPinnedConnectionClosed);
4981    // remember the pinned connection so that cb does not unpin a fresher one
4982    typedef CommCloseCbParams Params;
4983    Params &params = GetCommParams<Params>(pinning.closeHandler);
4984    params.conn = pinning.serverConnection;
4985    comm_add_close_handler(pinning.serverConnection->fd, pinning.closeHandler);
4986}
4987
4988/// [re]start monitoring pinned connection for peer closures so that we can
4989/// propagate them to an _idle_ client pinned to that peer
4990void
4991ConnStateData::startPinnedConnectionMonitoring()
4992{
4993    if (pinning.readHandler != NULL)
4994        return; // already monitoring
4995
4996    typedef CommCbMemFunT<ConnStateData, CommIoCbParams> Dialer;
4997    pinning.readHandler = JobCallback(33, 3,
4998                                      Dialer, this, ConnStateData::clientPinnedConnectionRead);
4999    Comm::Read(pinning.serverConnection, pinning.readHandler);
5000}
5001
5002void
5003ConnStateData::stopPinnedConnectionMonitoring()
5004{
5005    if (pinning.readHandler != NULL) {
5006        Comm::ReadCancel(pinning.serverConnection->fd, pinning.readHandler);
5007        pinning.readHandler = NULL;
5008    }
5009}
5010
5011#if USE_OPENSSL
5012bool
5013ConnStateData::handleIdleClientPinnedTlsRead()
5014{
5015    // A ready-for-reading connection means that the TLS server either closed
5016    // the connection, sent us some unexpected HTTP data, or started TLS
5017    // renegotiations. We should close the connection except for the last case.
5018
5019    Must(pinning.serverConnection != NULL);
5020    SSL *ssl = fd_table[pinning.serverConnection->fd].ssl;
5021    if (!ssl)
5022        return false;
5023
5024    char buf[1];
5025    const int readResult = SSL_read(ssl, buf, sizeof(buf));
5026
5027    if (readResult > 0 || SSL_pending(ssl) > 0) {
5028        debugs(83, 2, pinning.serverConnection << " TLS application data read");
5029        return false;
5030    }
5031
5032    switch(const int error = SSL_get_error(ssl, readResult)) {
5033    case SSL_ERROR_WANT_WRITE:
5034        debugs(83, DBG_IMPORTANT, pinning.serverConnection << " TLS SSL_ERROR_WANT_WRITE request for idle pinned connection");
5035    // fall through to restart monitoring, for now
5036    case SSL_ERROR_NONE:
5037    case SSL_ERROR_WANT_READ:
5038        startPinnedConnectionMonitoring();
5039        return true;
5040
5041    default:
5042        debugs(83, 2, pinning.serverConnection << " TLS error: " << error);
5043        return false;
5044    }
5045
5046    // not reached
5047    return true;
5048}
5049#endif
5050
5051/// Our read handler called by Comm when the server either closes an idle pinned connection or
5052/// perhaps unexpectedly sends something on that idle (from Squid p.o.v.) connection.
5053void
5054ConnStateData::clientPinnedConnectionRead(const CommIoCbParams &io)
5055{
5056    pinning.readHandler = NULL; // Comm unregisters handlers before calling
5057
5058    if (io.flag == Comm::ERR_CLOSING)
5059        return; // close handler will clean up
5060
5061    Must(pinning.serverConnection == io.conn);
5062
5063#if USE_OPENSSL
5064    if (handleIdleClientPinnedTlsRead())
5065        return;
5066#endif
5067
5068    // We could use getConcurrentRequestCount(), but this may be faster.
5069    const bool clientIsIdle = !getCurrentContext();
5070
5071    debugs(33, 3, "idle pinned " << pinning.serverConnection << " read " <<
5072           io.size << (clientIsIdle ? " with idle client" : ""));
5073
5074    pinning.serverConnection->close();
5075
5076    // If we are still sending data to the client, do not close now. When we are done sending,
5077    // ClientSocketContext::keepaliveNextRequest() checks pinning.serverConnection and will close.
5078    // However, if we are idle, then we must close to inform the idle client and minimize races.
5079    if (clientIsIdle && clientConnection != NULL)
5080        clientConnection->close();
5081}
5082
5083const Comm::ConnectionPointer
5084ConnStateData::validatePinnedConnection(HttpRequest *request, const CachePeer *aPeer)
5085{
5086    debugs(33, 7, HERE << pinning.serverConnection);
5087
5088    bool valid = true;
5089    if (!Comm::IsConnOpen(pinning.serverConnection))
5090        valid = false;
5091    else if (pinning.auth && pinning.host && request && strcasecmp(pinning.host, request->GetHost()) != 0)
5092        valid = false;
5093    else if (request && pinning.port != request->port)
5094        valid = false;
5095    else if (pinning.peer && !cbdataReferenceValid(pinning.peer))
5096        valid = false;
5097    else if (aPeer != pinning.peer)
5098        valid = false;
5099
5100    if (!valid) {
5101        /* The pinning info is not safe, remove any pinning info */
5102        unpinConnection(true);
5103    }
5104
5105    return pinning.serverConnection;
5106}
5107
5108Comm::ConnectionPointer
5109ConnStateData::borrowPinnedConnection(HttpRequest *request, const CachePeer *aPeer)
5110{
5111    debugs(33, 7, pinning.serverConnection);
5112    if (validatePinnedConnection(request, aPeer) != NULL)
5113        stopPinnedConnectionMonitoring();
5114
5115    return pinning.serverConnection; // closed if validation failed
5116}
5117
5118void
5119ConnStateData::unpinConnection(const bool andClose)
5120{
5121    debugs(33, 3, HERE << pinning.serverConnection);
5122
5123    if (pinning.peer)
5124        cbdataReferenceDone(pinning.peer);
5125
5126    if (Comm::IsConnOpen(pinning.serverConnection)) {
5127        if (pinning.closeHandler != NULL) {
5128            comm_remove_close_handler(pinning.serverConnection->fd, pinning.closeHandler);
5129            pinning.closeHandler = NULL;
5130        }
5131
5132        stopPinnedConnectionMonitoring();
5133
5134        // close the server side socket if requested
5135        if (andClose)
5136            pinning.serverConnection->close();
5137        pinning.serverConnection = NULL;
5138    }
5139
5140    safe_free(pinning.host);
5141
5142    pinning.zeroReply = false;
5143
5144    /* NOTE: pinning.pinned should be kept. This combined with fd == -1 at the end of a request indicates that the host
5145     * connection has gone away */
5146}
5147
Note: See TracBrowser for help on using the repository browser.