[thirdparty/squid.git] / src / security / Session.cc

/*
 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/* DEBUG: section 83    TLS session management */

#include "squid.h"
#include "anyp/PortCfg.h"
#include "base/RunnersRegistry.h"
#include "Debug.h"
#include "fde.h"
#include "ipc/MemMap.h"
#include "security/Session.h"
#include "SquidConfig.h"
#include "ssl/bio.h"

#define SSL_SESSION_ID_SIZE 32
#define SSL_SESSION_MAX_SIZE 10*1024

static bool
CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &conn, Security::Io::Type type, const char *squidCtx)
{
    if (!Comm::IsConnOpen(conn)) {
        debugs(83, DBG_IMPORTANT, "Gone connection");
        return false;
    }

    const char *errAction = "with no TLS/SSL library";
    int errCode = 0;
#if USE_OPENSSL
    Security::SessionPointer ssl(SSL_new(ctx.get()));
    if (ssl) {
        const int fd = conn->fd;
        // without BIO, we would call SSL_set_fd(ssl.get(), fd) instead
        if (BIO *bio = Ssl::Bio::Create(fd, type)) {
            Ssl::Bio::Link(ssl.get(), bio); // cannot fail

            fd_table[fd].ssl = ssl;
            fd_table[fd].read_method = &ssl_read_method;
            fd_table[fd].write_method = &ssl_write_method;
            fd_note(fd, squidCtx);
            return true;
        }
        errCode = ERR_get_error();
        errAction = "failed to initialize I/O";
    } else {
        errCode = ERR_get_error();
        errAction = "failed to allocate handle";
    }
#endif
    debugs(83, DBG_IMPORTANT, "ERROR: " << squidCtx << ' ' << errAction <<
           ": " << (errCode != 0 ? Security::ErrorString(errCode) : ""));
    return false;
}

bool
Security::CreateClientSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx)
{
    return CreateSession(ctx, c, Security::Io::BIO_TO_SERVER, squidCtx);
}

bool
Security::CreateServerSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx)
{
    return CreateSession(ctx, c, Security::Io::BIO_TO_CLIENT, squidCtx);
}

bool
Security::SessionIsResumed(const Security::SessionPointer &s)
{
    bool result = false;
#if USE_OPENSSL
    result = SSL_session_reused(s.get()) == 1;
#elif USE_GNUTLS
    result = gnutls_session_is_resumed(s.get()) != 0;
#endif
    debugs(83, 7, "session=" << (void*)s.get() << ", query? answer: " << (result ? 'T' : 'F') );
    return result;
}

void
Security::MaybeGetSessionResumeData(const Security::SessionPointer &s, Security::SessionStatePointer &data)
{
    if (!SessionIsResumed(s)) {
#if USE_OPENSSL
        // nil is valid for SSL_get1_session(), it cannot fail.
        data.reset(SSL_get1_session(s.get()));
#elif USE_GNUTLS
        gnutls_datum_t *tmp = nullptr;
        const auto x = gnutls_session_get_data2(s.get(), tmp);
        if (x != GNUTLS_E_SUCCESS) {
            debugs(83, 3, "session=" << (void*)s.get() << " error: " << Security::ErrorString(x));
        }
        data.reset(tmp);
#endif
        debugs(83, 5, "session=" << (void*)s.get() << " data=" << (void*)data.get());
    } else {
        debugs(83, 5, "session=" << (void*)s.get() << " data=" << (void*)data.get() << ", do nothing.");
    }
}

void
Security::SetSessionResumeData(const Security::SessionPointer &s, const Security::SessionStatePointer &data)
{
    if (data) {
#if USE_OPENSSL
        if (!SSL_set_session(s.get(), data.get())) {
            const auto ssl_error = ERR_get_error();
            debugs(83, 3, "session=" << (void*)s.get() << " data=" << (void*)data.get() <<
                   " resume error: " << Security::ErrorString(ssl_error));
        }
#elif USE_GNUTLS
        const auto x = gnutls_session_set_data(s.get(), data->data, data->size);
        if (x != GNUTLS_E_SUCCESS) {
            debugs(83, 3, "session=" << (void*)s.get() << " data=" << (void*)data.get() <<
                   " resume error: " << Security::ErrorString(x));
        }
#else
        // critical because, how did it get here?
        debugs(83, DBG_CRITICAL, "no TLS library. session=" << (void*)s.get() << " data=" << (void*)data.get());
#endif
        debugs(83, 5, "session=" << (void*)s.get() << " data=" << (void*)data.get());
    } else {
        debugs(83, 5, "session=" << (void*)s.get() << " no resume data");
    }
}

static bool
isTlsServer()
{
    for (AnyP::PortCfgPointer s = HttpPortList; s != nullptr; s = s->next) {
        if (s->secure.encryptTransport)
            return true;
        if (s->flags.tunnelSslBumping)
            return true;
    }

    return false;
}

void
initializeSessionCache()
{
#if USE_OPENSSL
    // Check if the MemMap keys and data are enough big to hold
    // session ids and session data
    assert(SSL_SESSION_ID_SIZE >= MEMMAP_SLOT_KEY_SIZE);
    assert(SSL_SESSION_MAX_SIZE >= MEMMAP_SLOT_DATA_SIZE);

    int configuredItems = ::Config.SSL.sessionCacheSize / sizeof(Ipc::MemMap::Slot);
    if (IamWorkerProcess() && configuredItems)
        Ssl::SessionCache = new Ipc::MemMap(Ssl::SessionCacheName);
    else {
        Ssl::SessionCache = nullptr;
        return;
    }

    for (AnyP::PortCfgPointer s = HttpPortList; s != nullptr; s = s->next) {
        if (s->secure.staticContext)
            Ssl::SetSessionCallbacks(s->secure.staticContext);
    }
#endif
}

/// initializes shared memory segments used by MemStore
class SharedSessionCacheRr: public Ipc::Mem::RegisteredRunner
{
public:
    /* RegisteredRunner API */
    SharedSessionCacheRr(): owner(nullptr) {}
    virtual void useConfig();
    virtual ~SharedSessionCacheRr();

protected:
    virtual void create();

private:
    Ipc::MemMap::Owner *owner;
};

RunnerRegistrationEntry(SharedSessionCacheRr);

void
SharedSessionCacheRr::useConfig()
{
#if USE_OPENSSL // while Ssl:: bits in use
    if (Ssl::SessionCache || !isTlsServer()) //no need to configure ssl session cache.
        return;

    Ipc::Mem::RegisteredRunner::useConfig();
    initializeSessionCache();
#endif
}

void
SharedSessionCacheRr::create()
{
    if (!isTlsServer()) //no need to configure ssl session cache.
        return;

#if USE_OPENSSL // while Ssl:: bits in use
    if (int items = Config.SSL.sessionCacheSize / sizeof(Ipc::MemMap::Slot))
        owner = Ipc::MemMap::Init(Ssl::SessionCacheName, items);
#endif
}

SharedSessionCacheRr::~SharedSessionCacheRr()
{
    // XXX: Enable after testing to reduce at-exit memory "leaks".
    // delete Ssl::SessionCache;

    delete owner;
}
Commit	Line	Data
824d4656 AJ	1	/*
	2	* Copyright (C) 1996-2016 The Squid Software Foundation and contributors
	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
5d9a65df AJ	9	/* DEBUG: section 83 TLS session management */
5d9a65df AJ	10
824d4656 AJ	11	#include "squid.h"
	12	#include "anyp/PortCfg.h"
	13	#include "base/RunnersRegistry.h"
5d9a65df	14	#include "Debug.h"
86f77270	15	#include "fde.h"
824d4656 AJ	16	#include "ipc/MemMap.h"
	17	#include "security/Session.h"
	18	#include "SquidConfig.h"
86f77270	19	#include "ssl/bio.h"
824d4656 AJ	20
	21	#define SSL_SESSION_ID_SIZE 32
	22	#define SSL_SESSION_MAX_SIZE 10*1024
	23
86f77270 AJ	24	static bool
	25	CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &conn, Security::Io::Type type, const char *squidCtx)
	26	{
	27	if (!Comm::IsConnOpen(conn)) {
	28	debugs(83, DBG_IMPORTANT, "Gone connection");
	29	return false;
	30	}
	31
	32	const char *errAction = "with no TLS/SSL library";
86f77270	33	int errCode = 0;
e0cf4700	34	#if USE_OPENSSL
d0aafe66 AJ	35	Security::SessionPointer ssl(SSL_new(ctx.get()));
d0aafe66 AJ	36	if (ssl) {
86f77270	37	const int fd = conn->fd;
d0aafe66	38	// without BIO, we would call SSL_set_fd(ssl.get(), fd) instead
86f77270	39	if (BIO *bio = Ssl::Bio::Create(fd, type)) {
d0aafe66	40	Ssl::Bio::Link(ssl.get(), bio); // cannot fail
86f77270	41
d0aafe66	42	fd_table[fd].ssl = ssl;
86f77270 AJ	43	fd_table[fd].read_method = &ssl_read_method;
	44	fd_table[fd].write_method = &ssl_write_method;
	45	fd_note(fd, squidCtx);
	46	return true;
	47	}
	48	errCode = ERR_get_error();
	49	errAction = "failed to initialize I/O";
86f77270 AJ	50	} else {
	51	errCode = ERR_get_error();
	52	errAction = "failed to allocate handle";
	53	}
86f77270	54	#endif
e0cf4700 AJ	55	debugs(83, DBG_IMPORTANT, "ERROR: " << squidCtx << ' ' << errAction <<
e0cf4700 AJ	56	": " << (errCode != 0 ? Security::ErrorString(errCode) : ""));
86f77270 AJ	57	return false;
	58	}
	59
	60	bool
	61	Security::CreateClientSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx)
	62	{
	63	return CreateSession(ctx, c, Security::Io::BIO_TO_SERVER, squidCtx);
	64	}
	65
	66	bool
	67	Security::CreateServerSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx)
	68	{
	69	return CreateSession(ctx, c, Security::Io::BIO_TO_CLIENT, squidCtx);
	70	}
	71
5d9a65df AJ	72	bool
	73	Security::SessionIsResumed(const Security::SessionPointer &s)
	74	{
	75	bool result = false;
	76	#if USE_OPENSSL
	77	result = SSL_session_reused(s.get()) == 1;
	78	#elif USE_GNUTLS
	79	result = gnutls_session_is_resumed(s.get()) != 0;
	80	#endif
	81	debugs(83, 7, "session=" << (void*)s.get() << ", query? answer: " << (result ? 'T' : 'F') );
	82	return result;
	83	}
	84
	85	void
	86	Security::MaybeGetSessionResumeData(const Security::SessionPointer &s, Security::SessionStatePointer &data)
	87	{
	88	if (!SessionIsResumed(s)) {
	89	#if USE_OPENSSL
	90	// nil is valid for SSL_get1_session(), it cannot fail.
	91	data.reset(SSL_get1_session(s.get()));
	92	#elif USE_GNUTLS
	93	gnutls_datum_t *tmp = nullptr;
	94	const auto x = gnutls_session_get_data2(s.get(), tmp);
	95	if (x != GNUTLS_E_SUCCESS) {
ea574635	96	debugs(83, 3, "session=" << (void*)s.get() << " error: " << Security::ErrorString(x));
5d9a65df AJ	97	}
	98	data.reset(tmp);
	99	#endif
	100	debugs(83, 5, "session=" << (void)s.get() << " data=" << (void)data.get());
	101	} else {
	102	debugs(83, 5, "session=" << (void)s.get() << " data=" << (void)data.get() << ", do nothing.");
	103	}
	104	}
	105
	106	void
	107	Security::SetSessionResumeData(const Security::SessionPointer &s, const Security::SessionStatePointer &data)
	108	{
	109	if (data) {
	110	#if USE_OPENSSL
	111	if (!SSL_set_session(s.get(), data.get())) {
	112	const auto ssl_error = ERR_get_error();
	113	debugs(83, 3, "session=" << (void)s.get() << " data=" << (void)data.get() <<
ea574635	114	" resume error: " << Security::ErrorString(ssl_error));
5d9a65df AJ	115	}
	116	#elif USE_GNUTLS
	117	const auto x = gnutls_session_set_data(s.get(), data->data, data->size);
	118	if (x != GNUTLS_E_SUCCESS) {
	119	debugs(83, 3, "session=" << (void)s.get() << " data=" << (void)data.get() <<
ea574635	120	" resume error: " << Security::ErrorString(x));
5d9a65df AJ	121	}
	122	#else
	123	// critical because, how did it get here?
	124	debugs(83, DBG_CRITICAL, "no TLS library. session=" << (void)s.get() << " data=" << (void)data.get());
	125	#endif
	126	debugs(83, 5, "session=" << (void)s.get() << " data=" << (void)data.get());
	127	} else {
	128	debugs(83, 5, "session=" << (void*)s.get() << " no resume data");
	129	}
	130	}
	131
824d4656 AJ	132	static bool
	133	isTlsServer()
	134	{
	135	for (AnyP::PortCfgPointer s = HttpPortList; s != nullptr; s = s->next) {
	136	if (s->secure.encryptTransport)
	137	return true;
	138	if (s->flags.tunnelSslBumping)
	139	return true;
	140	}
	141
	142	return false;
	143	}
	144
	145	void
	146	initializeSessionCache()
	147	{
	148	#if USE_OPENSSL
	149	// Check if the MemMap keys and data are enough big to hold
	150	// session ids and session data
	151	assert(SSL_SESSION_ID_SIZE >= MEMMAP_SLOT_KEY_SIZE);
	152	assert(SSL_SESSION_MAX_SIZE >= MEMMAP_SLOT_DATA_SIZE);
	153
	154	int configuredItems = ::Config.SSL.sessionCacheSize / sizeof(Ipc::MemMap::Slot);
	155	if (IamWorkerProcess() && configuredItems)
	156	Ssl::SessionCache = new Ipc::MemMap(Ssl::SessionCacheName);
	157	else {
	158	Ssl::SessionCache = nullptr;
	159	return;
	160	}
	161
	162	for (AnyP::PortCfgPointer s = HttpPortList; s != nullptr; s = s->next) {
b23f5f9c AJ	163	if (s->secure.staticContext)
b23f5f9c AJ	164	Ssl::SetSessionCallbacks(s->secure.staticContext);
824d4656 AJ	165	}
	166	#endif
	167	}
	168
	169	/// initializes shared memory segments used by MemStore
	170	class SharedSessionCacheRr: public Ipc::Mem::RegisteredRunner
	171	{
	172	public:
	173	/* RegisteredRunner API */
	174	SharedSessionCacheRr(): owner(nullptr) {}
	175	virtual void useConfig();
	176	virtual ~SharedSessionCacheRr();
	177
	178	protected:
	179	virtual void create();
	180
	181	private:
	182	Ipc::MemMap::Owner *owner;
	183	};
	184
	185	RunnerRegistrationEntry(SharedSessionCacheRr);
	186
	187	void
	188	SharedSessionCacheRr::useConfig()
	189	{
	190	#if USE_OPENSSL // while Ssl:: bits in use
	191	if (Ssl::SessionCache \|\| !isTlsServer()) //no need to configure ssl session cache.
	192	return;
	193
	194	Ipc::Mem::RegisteredRunner::useConfig();
	195	initializeSessionCache();
	196	#endif
	197	}
	198
	199	void
	200	SharedSessionCacheRr::create()
	201	{
	202	if (!isTlsServer()) //no need to configure ssl session cache.
	203	return;
	204
	205	#if USE_OPENSSL // while Ssl:: bits in use
	206	if (int items = Config.SSL.sessionCacheSize / sizeof(Ipc::MemMap::Slot))
	207	owner = Ipc::MemMap::Init(Ssl::SessionCacheName, items);
	208	#endif
	209	}
	210
	211	SharedSessionCacheRr::~SharedSessionCacheRr()
	212	{
	213	// XXX: Enable after testing to reduce at-exit memory "leaks".
	214	// delete Ssl::SessionCache;
	215
	216	delete owner;
	217	}
	218