]> git.ipfire.org Git - thirdparty/squid.git/blob - src/security/PeerConnector.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
transaction_initiator ACL for detecting various unusual transactions
[thirdparty/squid.git] / src / security / PeerConnector.cc
1 /*
2 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 /* DEBUG: section 83 TLS Server/Peer negotiation */
10
11 #include "squid.h"
12 #include "acl/FilledChecklist.h"
13 #include "comm/Loops.h"
14 #include "Downloader.h"
15 #include "errorpage.h"
16 #include "fde.h"
17 #include "http/Stream.h"
18 #include "HttpRequest.h"
19 #include "security/NegotiationHistory.h"
20 #include "security/PeerConnector.h"
21 #include "SquidConfig.h"
22 #if USE_OPENSSL
23 #include "ssl/bio.h"
24 #include "ssl/cert_validate_message.h"
25 #include "ssl/Config.h"
26 #include "ssl/helper.h"
27 #endif
28
29 CBDATA_NAMESPACED_CLASS_INIT(Security, PeerConnector);
30
31 Security::PeerConnector::PeerConnector(const Comm::ConnectionPointer &aServerConn, AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, const time_t timeout) :
32 AsyncJob("Security::PeerConnector"),
33 serverConn(aServerConn),
34 al(alp),
35 callback(aCallback),
36 negotiationTimeout(timeout),
37 startTime(squid_curtime),
38 useCertValidator_(true),
39 certsDownloads(0)
40 {
41 debugs(83, 5, "Security::PeerConnector constructed, this=" << (void*)this);
42 // if this throws, the caller's cb dialer is not our CbDialer
43 Must(dynamic_cast<CbDialer*>(callback->getDialer()));
44 }
45
46 Security::PeerConnector::~PeerConnector()
47 {
48 debugs(83, 5, "Security::PeerConnector destructed, this=" << (void*)this);
49 }
50
51 bool Security::PeerConnector::doneAll() const
52 {
53 return (!callback || callback->canceled()) && AsyncJob::doneAll();
54 }
55
56 /// Preps connection and SSL state. Calls negotiate().
57 void
58 Security::PeerConnector::start()
59 {
60 AsyncJob::start();
61 debugs(83, 5, "this=" << (void*)this);
62
63 Security::SessionPointer tmp;
64 if (prepareSocket() && initialize(tmp))
65 negotiate();
66 else
67 mustStop("Security::PeerConnector TLS socket initialize failed");
68 }
69
70 void
71 Security::PeerConnector::commCloseHandler(const CommCloseCbParams &params)
72 {
73 debugs(83, 5, "FD " << params.fd << ", Security::PeerConnector=" << params.data);
74 connectionClosed("Security::PeerConnector::commCloseHandler");
75 }
76
77 void
78 Security::PeerConnector::connectionClosed(const char *reason)
79 {
80 debugs(83, 5, reason << " socket closed/closing. this=" << (void*)this);
81 mustStop(reason);
82 callback = NULL;
83 }
84
85 bool
86 Security::PeerConnector::prepareSocket()
87 {
88 debugs(83, 5, serverConnection() << ", this=" << (void*)this);
89 if (!Comm::IsConnOpen(serverConnection()) || fd_table[serverConnection()->fd].closing()) {
90 connectionClosed("Security::PeerConnector::prepareSocket");
91 return false;
92 }
93
94 debugs(83, 5, serverConnection());
95
96 // watch for external connection closures
97 typedef CommCbMemFunT<Security::PeerConnector, CommCloseCbParams> Dialer;
98 closeHandler = JobCallback(9, 5, Dialer, this, Security::PeerConnector::commCloseHandler);
99 comm_add_close_handler(serverConnection()->fd, closeHandler);
100 return true;
101 }
102
103 bool
104 Security::PeerConnector::initialize(Security::SessionPointer &serverSession)
105 {
106 Security::ContextPointer ctx(getTlsContext());
107 debugs(83, 5, serverConnection() << ", ctx=" << (void*)ctx.get());
108
109 if (!ctx || !Security::CreateClientSession(ctx, serverConnection(), "server https start")) {
110 const auto xerrno = errno;
111 if (!ctx) {
112 debugs(83, DBG_IMPORTANT, "Error initializing TLS connection: No security context.");
113 } // else CreateClientSession() did the appropriate debugs() already
114 ErrorState *anErr = new ErrorState(ERR_SOCKET_FAILURE, Http::scInternalServerError, request.getRaw());
115 anErr->xerrno = xerrno;
116 noteNegotiationDone(anErr);
117 bail(anErr);
118 return false;
119 }
120
121 // A TLS/SSL session has now been created for the connection and stored in fd_table
122 serverSession = fd_table[serverConnection()->fd].ssl;
123 debugs(83, 5, serverConnection() << ", session=" << (void*)serverSession.get());
124
125 #if USE_OPENSSL
126 // If CertValidation Helper used do not lookup checklist for errors,
127 // but keep a list of errors to send it to CertValidator
128 if (!Ssl::TheConfig.ssl_crt_validator) {
129 // Create the ACL check list now, while we have access to more info.
130 // The list is used in ssl_verify_cb() and is freed in ssl_free().
131 if (acl_access *acl = ::Config.ssl_client.cert_error) {
132 ACLFilledChecklist *check = new ACLFilledChecklist(acl, request.getRaw(), dash_str);
133 check->al = al;
134 // check->fd(fd); XXX: need client FD here
135 SSL_set_ex_data(serverSession.get(), ssl_ex_index_cert_error_check, check);
136 }
137 }
138 #endif
139
140 return true;
141 }
142
143 void
144 Security::PeerConnector::setReadTimeout()
145 {
146 int timeToRead;
147 if (negotiationTimeout) {
148 const int timeUsed = squid_curtime - startTime;
149 const int timeLeft = max(0, static_cast<int>(negotiationTimeout - timeUsed));
150 timeToRead = min(static_cast<int>(::Config.Timeout.read), timeLeft);
151 } else
152 timeToRead = ::Config.Timeout.read;
153 AsyncCall::Pointer nil;
154 commSetConnTimeout(serverConnection(), timeToRead, nil);
155 }
156
157 void
158 Security::PeerConnector::recordNegotiationDetails()
159 {
160 const int fd = serverConnection()->fd;
161 Security::SessionPointer session(fd_table[fd].ssl);
162
163 // retrieve TLS server negotiated information if any
164 serverConnection()->tlsNegotiations()->retrieveNegotiatedInfo(session);
165
166 #if USE_OPENSSL
167 // retrieve TLS parsed extra info
168 BIO *b = SSL_get_rbio(session.get());
169 Ssl::ServerBio *bio = static_cast<Ssl::ServerBio *>(BIO_get_data(b));
170 if (const Security::TlsDetails::Pointer &details = bio->receivedHelloDetails())
171 serverConnection()->tlsNegotiations()->retrieveParsedInfo(details);
172 #endif
173 }
174
175 void
176 Security::PeerConnector::negotiate()
177 {
178 if (!Comm::IsConnOpen(serverConnection()))
179 return;
180
181 const int fd = serverConnection()->fd;
182 if (fd_table[fd].closing())
183 return;
184
185 #if USE_OPENSSL
186 auto session = fd_table[fd].ssl.get();
187 debugs(83, 5, "SSL_connect session=" << (void*)session);
188 const int result = SSL_connect(session);
189 if (result <= 0) {
190 #elif USE_GNUTLS
191 auto session = fd_table[fd].ssl.get();
192 const int result = gnutls_handshake(session);
193 debugs(83, 5, "gnutls_handshake session=" << (void*)session << ", result=" << result);
194
195 if (result == GNUTLS_E_SUCCESS) {
196 char *desc = gnutls_session_get_desc(session);
197 debugs(83, 2, serverConnection() << " TLS Session info: " << desc);
198 gnutls_free(desc);
199 }
200
201 if (result != GNUTLS_E_SUCCESS) {
202 // debug the TLS session state so far
203 auto descIn = gnutls_handshake_get_last_in(session);
204 debugs(83, 2, "handshake IN: " << gnutls_handshake_description_get_name(descIn));
205 auto descOut = gnutls_handshake_get_last_out(session);
206 debugs(83, 2, "handshake OUT: " << gnutls_handshake_description_get_name(descOut));
207 #else
208 if (const int result = -1) {
209 #endif
210 handleNegotiateError(result);
211 return; // we might be gone by now
212 }
213
214 recordNegotiationDetails();
215
216 if (!sslFinalized())
217 return;
218
219 callBack();
220 }
221
222 bool
223 Security::PeerConnector::sslFinalized()
224 {
225 #if USE_OPENSSL
226 if (Ssl::TheConfig.ssl_crt_validator && useCertValidator_) {
227 const int fd = serverConnection()->fd;
228 Security::SessionPointer session(fd_table[fd].ssl);
229
230 Ssl::CertValidationRequest validationRequest;
231 // WARNING: Currently we do not use any locking for 'errors' member
232 // of the Ssl::CertValidationRequest class. In this code the
233 // Ssl::CertValidationRequest object used only to pass data to
234 // Ssl::CertValidationHelper::submit method.
235 validationRequest.ssl = session;
236 if (SBuf *dName = (SBuf *)SSL_get_ex_data(session.get(), ssl_ex_index_server))
237 validationRequest.domainName = dName->c_str();
238 if (Security::CertErrors *errs = static_cast<Security::CertErrors *>(SSL_get_ex_data(session.get(), ssl_ex_index_ssl_errors)))
239 // validationRequest disappears on return so no need to cbdataReference
240 validationRequest.errors = errs;
241 try {
242 debugs(83, 5, "Sending SSL certificate for validation to ssl_crtvd.");
243 AsyncCall::Pointer call = asyncCall(83,5, "Security::PeerConnector::sslCrtvdHandleReply", Ssl::CertValidationHelper::CbDialer(this, &Security::PeerConnector::sslCrtvdHandleReply, nullptr));
244 Ssl::CertValidationHelper::GetInstance()->sslSubmit(validationRequest, call);
245 return false;
246 } catch (const std::exception &e) {
247 debugs(83, DBG_IMPORTANT, "ERROR: Failed to compose ssl_crtvd " <<
248 "request for " << validationRequest.domainName <<
249 " certificate: " << e.what() << "; will now block to " <<
250 "validate that certificate.");
251 // fall through to do blocking in-process generation.
252 ErrorState *anErr = new ErrorState(ERR_GATEWAY_FAILURE, Http::scInternalServerError, request.getRaw());
253
254 noteNegotiationDone(anErr);
255 bail(anErr);
256 serverConn->close();
257 return true;
258 }
259 }
260 #endif
261
262 noteNegotiationDone(NULL);
263 return true;
264 }
265
266 #if USE_OPENSSL
267 void
268 Security::PeerConnector::sslCrtvdHandleReply(Ssl::CertValidationResponse::Pointer validationResponse)
269 {
270 Must(validationResponse != NULL);
271
272 Ssl::ErrorDetail *errDetails = NULL;
273 bool validatorFailed = false;
274 if (!Comm::IsConnOpen(serverConnection())) {
275 return;
276 }
277
278 if (Debug::Enabled(83, 5)) {
279 Security::SessionPointer ssl(fd_table[serverConnection()->fd].ssl);
280 SBuf *server = static_cast<SBuf *>(SSL_get_ex_data(ssl.get(), ssl_ex_index_server));
281 debugs(83,5, RawPointer("host", server) << " cert validation result: " << validationResponse->resultCode);
282 }
283
284 if (validationResponse->resultCode == ::Helper::Error) {
285 if (Security::CertErrors *errs = sslCrtvdCheckForErrors(*validationResponse, errDetails)) {
286 Security::SessionPointer session(fd_table[serverConnection()->fd].ssl);
287 Security::CertErrors *oldErrs = static_cast<Security::CertErrors*>(SSL_get_ex_data(session.get(), ssl_ex_index_ssl_errors));
288 SSL_set_ex_data(session.get(), ssl_ex_index_ssl_errors, (void *)errs);
289 delete oldErrs;
290 }
291 } else if (validationResponse->resultCode != ::Helper::Okay)
292 validatorFailed = true;
293
294 if (!errDetails && !validatorFailed) {
295 noteNegotiationDone(NULL);
296 callBack();
297 return;
298 }
299
300 ErrorState *anErr = NULL;
301 if (validatorFailed) {
302 anErr = new ErrorState(ERR_GATEWAY_FAILURE, Http::scInternalServerError, request.getRaw());
303 } else {
304 anErr = new ErrorState(ERR_SECURE_CONNECT_FAIL, Http::scServiceUnavailable, request.getRaw());
305 anErr->detail = errDetails;
306 /*anErr->xerrno= Should preserved*/
307 }
308
309 noteNegotiationDone(anErr);
310 bail(anErr);
311 serverConn->close();
312 return;
313 }
314 #endif
315
316 #if USE_OPENSSL
317 /// Checks errors in the cert. validator response against sslproxy_cert_error.
318 /// The first honored error, if any, is returned via errDetails parameter.
319 /// The method returns all seen errors except SSL_ERROR_NONE as Security::CertErrors.
320 Security::CertErrors *
321 Security::PeerConnector::sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &resp, Ssl::ErrorDetail *& errDetails)
322 {
323 ACLFilledChecklist *check = NULL;
324 if (acl_access *acl = ::Config.ssl_client.cert_error) {
325 check = new ACLFilledChecklist(acl, request.getRaw(), dash_str);
326 check->al = al;
327 }
328
329 Security::CertErrors *errs = nullptr;
330 Security::SessionPointer session(fd_table[serverConnection()->fd].ssl);
331 typedef Ssl::CertValidationResponse::RecvdErrors::const_iterator SVCRECI;
332 for (SVCRECI i = resp.errors.begin(); i != resp.errors.end(); ++i) {
333 debugs(83, 7, "Error item: " << i->error_no << " " << i->error_reason);
334
335 assert(i->error_no != SSL_ERROR_NONE);
336
337 if (!errDetails) {
338 bool allowed = false;
339 if (check) {
340 check->sslErrors = new Security::CertErrors(Security::CertError(i->error_no, i->cert, i->error_depth));
341 if (check->fastCheck() == ACCESS_ALLOWED)
342 allowed = true;
343 }
344 // else the Config.ssl_client.cert_error access list is not defined
345 // and the first error will cause the error page
346
347 if (allowed) {
348 debugs(83, 3, "bypassing SSL error " << i->error_no << " in " << "buffer");
349 } else {
350 debugs(83, 5, "confirming SSL error " << i->error_no);
351 X509 *brokenCert = i->cert.get();
352 Security::CertPointer peerCert(SSL_get_peer_certificate(session.get()));
353 const char *aReason = i->error_reason.empty() ? NULL : i->error_reason.c_str();
354 errDetails = new Ssl::ErrorDetail(i->error_no, peerCert.get(), brokenCert, aReason);
355 }
356 if (check) {
357 delete check->sslErrors;
358 check->sslErrors = NULL;
359 }
360 }
361
362 if (!errs)
363 errs = new Security::CertErrors(Security::CertError(i->error_no, i->cert, i->error_depth));
364 else
365 errs->push_back_unique(Security::CertError(i->error_no, i->cert, i->error_depth));
366 }
367 if (check)
368 delete check;
369
370 return errs;
371 }
372 #endif
373
374 /// A wrapper for Comm::SetSelect() notifications.
375 void
376 Security::PeerConnector::NegotiateSsl(int, void *data)
377 {
378 PeerConnector *pc = static_cast<Security::PeerConnector *>(data);
379 // Use job calls to add done() checks and other job logic/protections.
380 CallJobHere(83, 7, pc, Security::PeerConnector, negotiate);
381 }
382
383 void
384 Security::PeerConnector::handleNegotiateError(const int ret)
385 {
386 const int fd = serverConnection()->fd;
387 const Security::SessionPointer session(fd_table[fd].ssl);
388 unsigned long ssl_lib_error = ret;
389
390 #if USE_OPENSSL
391 const int ssl_error = SSL_get_error(session.get(), ret);
392
393 switch (ssl_error) {
394 case SSL_ERROR_WANT_READ:
395 noteWantRead();
396 return;
397
398 case SSL_ERROR_WANT_WRITE:
399 noteWantWrite();
400 return;
401
402 case SSL_ERROR_SSL:
403 case SSL_ERROR_SYSCALL:
404 ssl_lib_error = ERR_get_error();
405 // proceed to the general error handling code
406 break;
407 default:
408 // no special error handling for all other errors
409 ssl_lib_error = SSL_ERROR_NONE;
410 break;
411 }
412
413 #elif USE_GNUTLS
414 const int ssl_error = ret;
415
416 switch (ret) {
417 case GNUTLS_E_WARNING_ALERT_RECEIVED: {
418 auto alert = gnutls_alert_get(session.get());
419 debugs(83, DBG_IMPORTANT, "TLS ALERT: " << gnutls_alert_get_name(alert));
420 }
421 // drop through to next case
422
423 case GNUTLS_E_AGAIN:
424 case GNUTLS_E_INTERRUPTED:
425 if (gnutls_record_get_direction(session.get()) == 0)
426 noteWantRead();
427 else
428 noteWantWrite();
429 return;
430
431 default:
432 // no special error handling for all other errors
433 break;
434 }
435
436 #else
437 // this avoids unused variable compiler warnings.
438 Must(!session);
439 const int ssl_error = ret;
440 #endif
441
442 // Log connection details, if any
443 recordNegotiationDetails();
444 noteNegotiationError(ret, ssl_error, ssl_lib_error);
445 }
446
447 void
448 Security::PeerConnector::noteWantRead()
449 {
450 const int fd = serverConnection()->fd;
451 debugs(83, 5, serverConnection());
452 #if USE_OPENSSL
453 Security::SessionPointer session(fd_table[fd].ssl);
454 BIO *b = SSL_get_rbio(session.get());
455 Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(BIO_get_data(b));
456 if (srvBio->holdRead()) {
457 if (srvBio->gotHello()) {
458 if (checkForMissingCertificates())
459 return; // Wait to download certificates before proceed.
460
461 srvBio->holdRead(false);
462 // schedule a negotiateSSl to allow openSSL parse received data
463 Security::PeerConnector::NegotiateSsl(fd, this);
464 return;
465 } else if (srvBio->gotHelloFailed()) {
466 srvBio->holdRead(false);
467 debugs(83, DBG_IMPORTANT, "Error parsing SSL Server Hello Message on FD " << fd);
468 // schedule a negotiateSSl to allow openSSL parse received data
469 Security::PeerConnector::NegotiateSsl(fd, this);
470 return;
471 }
472 }
473 #endif
474 setReadTimeout();
475 Comm::SetSelect(fd, COMM_SELECT_READ, &NegotiateSsl, this, 0);
476 }
477
478 void
479 Security::PeerConnector::noteWantWrite()
480 {
481 const int fd = serverConnection()->fd;
482 debugs(83, 5, serverConnection());
483 Comm::SetSelect(fd, COMM_SELECT_WRITE, &NegotiateSsl, this, 0);
484 return;
485 }
486
487 void
488 Security::PeerConnector::noteNegotiationError(const int ret, const int ssl_error, const int ssl_lib_error)
489 {
490 #if defined(EPROTO)
491 int sysErrNo = EPROTO;
492 #else
493 int sysErrNo = EACCES;
494 #endif
495
496 #if USE_OPENSSL
497 // store/report errno when ssl_error is SSL_ERROR_SYSCALL, ssl_lib_error is 0, and ret is -1
498 if (ssl_error == SSL_ERROR_SYSCALL && ret == -1 && ssl_lib_error == 0)
499 sysErrNo = errno;
500 #endif
501 int xerr = errno;
502
503 const int fd = serverConnection()->fd;
504 debugs(83, DBG_IMPORTANT, "ERROR: negotiating TLS on FD " << fd <<
505 ": " << Security::ErrorString(ssl_lib_error) << " (" <<
506 ssl_error << "/" << ret << "/" << xerr << ")");
507
508 ErrorState *anErr = ErrorState::NewForwarding(ERR_SECURE_CONNECT_FAIL, request);
509 anErr->xerrno = sysErrNo;
510
511 #if USE_OPENSSL
512 Security::SessionPointer session(fd_table[fd].ssl);
513 Ssl::ErrorDetail *errFromFailure = static_cast<Ssl::ErrorDetail *>(SSL_get_ex_data(session.get(), ssl_ex_index_ssl_error_detail));
514 if (errFromFailure != NULL) {
515 // The errFromFailure is attached to the ssl object
516 // and will be released when ssl object destroyed.
517 // Copy errFromFailure to a new Ssl::ErrorDetail object
518 anErr->detail = new Ssl::ErrorDetail(*errFromFailure);
519 } else {
520 // server_cert can be NULL here
521 X509 *server_cert = SSL_get_peer_certificate(session.get());
522 anErr->detail = new Ssl::ErrorDetail(SQUID_ERR_SSL_HANDSHAKE, server_cert, NULL);
523 X509_free(server_cert);
524 }
525
526 if (ssl_lib_error != SSL_ERROR_NONE)
527 anErr->detail->setLibError(ssl_lib_error);
528 #endif
529
530 noteNegotiationDone(anErr);
531 bail(anErr);
532 }
533
534 void
535 Security::PeerConnector::bail(ErrorState *error)
536 {
537 Must(error); // or the recepient will not know there was a problem
538 Must(callback != NULL);
539 CbDialer *dialer = dynamic_cast<CbDialer*>(callback->getDialer());
540 Must(dialer);
541 dialer->answer().error = error;
542
543 callBack();
544 // Our job is done. The callabck recepient will probably close the failed
545 // peer connection and try another peer or go direct (if possible). We
546 // can close the connection ourselves (our error notification would reach
547 // the recepient before the fd-closure notification), but we would rather
548 // minimize the number of fd-closure notifications and let the recepient
549 // manage the TCP state of the connection.
550 }
551
552 void
553 Security::PeerConnector::callBack()
554 {
555 debugs(83, 5, "TLS setup ended for " << serverConnection());
556
557 AsyncCall::Pointer cb = callback;
558 // Do this now so that if we throw below, swanSong() assert that we _tried_
559 // to call back holds.
560 callback = NULL; // this should make done() true
561
562 // remove close handler
563 comm_remove_close_handler(serverConnection()->fd, closeHandler);
564
565 CbDialer *dialer = dynamic_cast<CbDialer*>(cb->getDialer());
566 Must(dialer);
567 dialer->answer().conn = serverConnection();
568 ScheduleCallHere(cb);
569 }
570
571 void
572 Security::PeerConnector::swanSong()
573 {
574 // XXX: unregister fd-closure monitoring and CommSetSelect interest, if any
575 AsyncJob::swanSong();
576 if (callback != NULL) { // paranoid: we have left the caller waiting
577 debugs(83, DBG_IMPORTANT, "BUG: Unexpected state while connecting to a cache_peer or origin server");
578 ErrorState *anErr = new ErrorState(ERR_GATEWAY_FAILURE, Http::scInternalServerError, request.getRaw());
579 bail(anErr);
580 assert(!callback);
581 return;
582 }
583 }
584
585 const char *
586 Security::PeerConnector::status() const
587 {
588 static MemBuf buf;
589 buf.reset();
590
591 // TODO: redesign AsyncJob::status() API to avoid this
592 // id and stop reason reporting duplication.
593 buf.append(" [", 2);
594 if (stopReason != NULL) {
595 buf.append("Stopped, reason:", 16);
596 buf.appendf("%s",stopReason);
597 }
598 if (serverConn != NULL)
599 buf.appendf(" FD %d", serverConn->fd);
600 buf.appendf(" %s%u]", id.prefix(), id.value);
601 buf.terminate();
602
603 return buf.content();
604 }
605
606 #if USE_OPENSSL
607 /// CallDialer to allow use Downloader objects within PeerConnector class.
608 class PeerConnectorCertDownloaderDialer: public Downloader::CbDialer
609 {
610 public:
611 typedef void (Security::PeerConnector::*Method)(SBuf &object, int status);
612
613 PeerConnectorCertDownloaderDialer(Method method, Security::PeerConnector *pc):
614 method_(method),
615 peerConnector_(pc) {}
616
617 /* CallDialer API */
618 virtual bool canDial(AsyncCall &call) { return peerConnector_.valid(); }
619 virtual void dial(AsyncCall &call) { ((&(*peerConnector_))->*method_)(object, status); }
620 Method method_; ///< The Security::PeerConnector method to dial
621 CbcPointer<Security::PeerConnector> peerConnector_; ///< The Security::PeerConnector object
622 };
623
624 void
625 Security::PeerConnector::startCertDownloading(SBuf &url)
626 {
627 AsyncCall::Pointer certCallback = asyncCall(81, 4,
628 "Security::PeerConnector::certDownloadingDone",
629 PeerConnectorCertDownloaderDialer(&Security::PeerConnector::certDownloadingDone, this));
630
631 const Downloader *csd = (request ? dynamic_cast<const Downloader*>(request->downloader.valid()) : nullptr);
632 Downloader *dl = new Downloader(url, certCallback, XactionInitiator::initCertFetcher, csd ? csd->nestedLevel() + 1 : 1);
633 AsyncJob::Start(dl);
634 }
635
636 void
637 Security::PeerConnector::certDownloadingDone(SBuf &obj, int downloadStatus)
638 {
639 ++certsDownloads;
640 debugs(81, 5, "Certificate downloading status: " << downloadStatus << " certificate size: " << obj.length());
641
642 // get ServerBio from SSL object
643 const int fd = serverConnection()->fd;
644 Security::SessionPointer session(fd_table[fd].ssl);
645 BIO *b = SSL_get_rbio(session.get());
646 Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(BIO_get_data(b));
647
648 // Parse Certificate. Assume that it is in DER format.
649 // According to RFC 4325:
650 // The server must provide a DER encoded certificate or a collection
651 // collection of certificates in a "certs-only" CMS message.
652 // The applications MUST accept DER encoded certificates and SHOULD
653 // be able to accept collection of certificates.
654 // TODO: support collection of certificates
655 const unsigned char *raw = (const unsigned char*)obj.rawContent();
656 if (X509 *cert = d2i_X509(NULL, &raw, obj.length())) {
657 char buffer[1024];
658 debugs(81, 5, "Retrieved certificate: " << X509_NAME_oneline(X509_get_subject_name(cert), buffer, 1024));
659 const Security::CertList &certsList = srvBio->serverCertificatesIfAny();
660 if (const char *issuerUri = Ssl::uriOfIssuerIfMissing(cert, certsList)) {
661 urlsOfMissingCerts.push(SBuf(issuerUri));
662 }
663 Ssl::SSL_add_untrusted_cert(session.get(), cert);
664 }
665
666 // Check if there are URIs to download from and if yes start downloading
667 // the first in queue.
668 if (urlsOfMissingCerts.size() && certsDownloads <= MaxCertsDownloads) {
669 startCertDownloading(urlsOfMissingCerts.front());
670 urlsOfMissingCerts.pop();
671 return;
672 }
673
674 srvBio->holdRead(false);
675 Security::PeerConnector::NegotiateSsl(serverConnection()->fd, this);
676 }
677
678 bool
679 Security::PeerConnector::checkForMissingCertificates()
680 {
681 // Check for nested SSL certificates downloads. For example when the
682 // certificate located in an SSL site which requires to download a
683 // a missing certificate (... from an SSL site which requires to ...).
684
685 const Downloader *csd = (request ? request->downloader.get() : nullptr);
686 if (csd && csd->nestedLevel() >= MaxNestedDownloads)
687 return false;
688
689 const int fd = serverConnection()->fd;
690 Security::SessionPointer session(fd_table[fd].ssl);
691 BIO *b = SSL_get_rbio(session.get());
692 Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(BIO_get_data(b));
693 const Security::CertList &certs = srvBio->serverCertificatesIfAny();
694
695 if (certs.size()) {
696 debugs(83, 5, "SSL server sent " << certs.size() << " certificates");
697 Ssl::missingChainCertificatesUrls(urlsOfMissingCerts, certs);
698 if (urlsOfMissingCerts.size()) {
699 startCertDownloading(urlsOfMissingCerts.front());
700 urlsOfMissingCerts.pop();
701 return true;
702 }
703 }
704
705 return false;
706 }
707 #endif //USE_OPENSSL
708
Mirror of https://github.com/squid-cache/squid.git