]> git.ipfire.org Git - thirdparty/squid.git/blob - src/security/PeerConnector.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Implement GnuTLS session logics in libsecurity
[thirdparty/squid.git] / src / security / PeerConnector.cc
1 /*
2 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 /* DEBUG: section 83 TLS Server/Peer negotiation */
10
11 #include "squid.h"
12 #include "acl/FilledChecklist.h"
13 #include "comm/Loops.h"
14 #include "Downloader.h"
15 #include "errorpage.h"
16 #include "fde.h"
17 #include "http/Stream.h"
18 #include "HttpRequest.h"
19 #include "security/NegotiationHistory.h"
20 #include "security/PeerConnector.h"
21 #include "SquidConfig.h"
22 #if USE_OPENSSL
23 #include "ssl/bio.h"
24 #include "ssl/cert_validate_message.h"
25 #include "ssl/Config.h"
26 #include "ssl/helper.h"
27 #endif
28
29 CBDATA_NAMESPACED_CLASS_INIT(Security, PeerConnector);
30
31 Security::PeerConnector::PeerConnector(const Comm::ConnectionPointer &aServerConn, AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, const time_t timeout) :
32 AsyncJob("Security::PeerConnector"),
33 serverConn(aServerConn),
34 al(alp),
35 callback(aCallback),
36 negotiationTimeout(timeout),
37 startTime(squid_curtime),
38 useCertValidator_(true),
39 certsDownloads(0)
40 {
41 debugs(83, 5, "Security::PeerConnector constructed, this=" << (void*)this);
42 // if this throws, the caller's cb dialer is not our CbDialer
43 Must(dynamic_cast<CbDialer*>(callback->getDialer()));
44 }
45
46 Security::PeerConnector::~PeerConnector()
47 {
48 debugs(83, 5, "Security::PeerConnector destructed, this=" << (void*)this);
49 }
50
51 bool Security::PeerConnector::doneAll() const
52 {
53 return (!callback || callback->canceled()) && AsyncJob::doneAll();
54 }
55
56 /// Preps connection and SSL state. Calls negotiate().
57 void
58 Security::PeerConnector::start()
59 {
60 AsyncJob::start();
61
62 Security::SessionPointer tmp;
63 if (prepareSocket() && initialize(tmp))
64 negotiate();
65 else
66 mustStop("Security::PeerConnector TLS socket initialize failed");
67 }
68
69 void
70 Security::PeerConnector::commCloseHandler(const CommCloseCbParams &params)
71 {
72 debugs(83, 5, "FD " << params.fd << ", Security::PeerConnector=" << params.data);
73 connectionClosed("Security::PeerConnector::commCloseHandler");
74 }
75
76 void
77 Security::PeerConnector::connectionClosed(const char *reason)
78 {
79 mustStop(reason);
80 callback = NULL;
81 }
82
83 bool
84 Security::PeerConnector::prepareSocket()
85 {
86 const int fd = serverConnection()->fd;
87 if (!Comm::IsConnOpen(serverConn) || fd_table[serverConn->fd].closing()) {
88 connectionClosed("Security::PeerConnector::prepareSocket");
89 return false;
90 }
91
92 // watch for external connection closures
93 typedef CommCbMemFunT<Security::PeerConnector, CommCloseCbParams> Dialer;
94 closeHandler = JobCallback(9, 5, Dialer, this, Security::PeerConnector::commCloseHandler);
95 comm_add_close_handler(fd, closeHandler);
96 return true;
97 }
98
99 bool
100 Security::PeerConnector::initialize(Security::SessionPointer &serverSession)
101 {
102 Security::ContextPointer ctx(getTlsContext());
103
104 if (!ctx || !Security::CreateClientSession(ctx, serverConnection(), "server https start")) {
105 const auto xerrno = errno;
106 if (!ctx) {
107 debugs(83, DBG_IMPORTANT, "Error initializing TLS connection: No security context.");
108 } // else CreateClientSession() did the appropriate debugs() already
109 ErrorState *anErr = new ErrorState(ERR_SOCKET_FAILURE, Http::scInternalServerError, request.getRaw());
110 anErr->xerrno = xerrno;
111 noteNegotiationDone(anErr);
112 bail(anErr);
113 return false;
114 }
115
116 // A TLS/SSL session has now been created for the connection and stored in fd_table
117 serverSession = fd_table[serverConnection()->fd].ssl;
118
119 #if USE_OPENSSL
120 // If CertValidation Helper used do not lookup checklist for errors,
121 // but keep a list of errors to send it to CertValidator
122 if (!Ssl::TheConfig.ssl_crt_validator) {
123 // Create the ACL check list now, while we have access to more info.
124 // The list is used in ssl_verify_cb() and is freed in ssl_free().
125 if (acl_access *acl = ::Config.ssl_client.cert_error) {
126 ACLFilledChecklist *check = new ACLFilledChecklist(acl, request.getRaw(), dash_str);
127 check->al = al;
128 // check->fd(fd); XXX: need client FD here
129 SSL_set_ex_data(serverSession.get(), ssl_ex_index_cert_error_check, check);
130 }
131 }
132 #endif
133
134 return true;
135 }
136
137 void
138 Security::PeerConnector::setReadTimeout()
139 {
140 int timeToRead;
141 if (negotiationTimeout) {
142 const int timeUsed = squid_curtime - startTime;
143 const int timeLeft = max(0, static_cast<int>(negotiationTimeout - timeUsed));
144 timeToRead = min(static_cast<int>(::Config.Timeout.read), timeLeft);
145 } else
146 timeToRead = ::Config.Timeout.read;
147 AsyncCall::Pointer nil;
148 commSetConnTimeout(serverConnection(), timeToRead, nil);
149 }
150
151 void
152 Security::PeerConnector::recordNegotiationDetails()
153 {
154 const int fd = serverConnection()->fd;
155 Security::SessionPointer session(fd_table[fd].ssl);
156
157 // retrieve TLS server negotiated information if any
158 serverConnection()->tlsNegotiations()->retrieveNegotiatedInfo(session);
159
160 #if USE_OPENSSL
161 // retrieve TLS parsed extra info
162 BIO *b = SSL_get_rbio(session.get());
163 Ssl::ServerBio *bio = static_cast<Ssl::ServerBio *>(b->ptr);
164 if (const Security::TlsDetails::Pointer &details = bio->receivedHelloDetails())
165 serverConnection()->tlsNegotiations()->retrieveParsedInfo(details);
166 #endif
167 }
168
169 void
170 Security::PeerConnector::negotiate()
171 {
172 if (!Comm::IsConnOpen(serverConnection()))
173 return;
174
175 const int fd = serverConnection()->fd;
176 if (fd_table[fd].closing())
177 return;
178
179 #if USE_OPENSSL
180 const int result = SSL_connect(fd_table[fd].ssl.get());
181 #elif USE_GNUTLS
182 const int result = gnutls_handshake(fd_table[fd].ssl.get());
183 #else
184 const int result = -1;
185 #endif
186 if (result <= 0) {
187 handleNegotiateError(result);
188 return; // we might be gone by now
189 }
190
191 recordNegotiationDetails();
192
193 if (!sslFinalized())
194 return;
195
196 callBack();
197 }
198
199 bool
200 Security::PeerConnector::sslFinalized()
201 {
202 #if USE_OPENSSL
203 if (Ssl::TheConfig.ssl_crt_validator && useCertValidator_) {
204 const int fd = serverConnection()->fd;
205 Security::SessionPointer session(fd_table[fd].ssl);
206
207 Ssl::CertValidationRequest validationRequest;
208 // WARNING: Currently we do not use any locking for any of the
209 // members of the Ssl::CertValidationRequest class. In this code the
210 // Ssl::CertValidationRequest object used only to pass data to
211 // Ssl::CertValidationHelper::submit method.
212 validationRequest.ssl = session.get();
213 if (SBuf *dName = (SBuf *)SSL_get_ex_data(session.get(), ssl_ex_index_server))
214 validationRequest.domainName = dName->c_str();
215 if (Security::CertErrors *errs = static_cast<Security::CertErrors *>(SSL_get_ex_data(session.get(), ssl_ex_index_ssl_errors)))
216 // validationRequest disappears on return so no need to cbdataReference
217 validationRequest.errors = errs;
218 try {
219 debugs(83, 5, "Sending SSL certificate for validation to ssl_crtvd.");
220 AsyncCall::Pointer call = asyncCall(83,5, "Security::PeerConnector::sslCrtvdHandleReply", Ssl::CertValidationHelper::CbDialer(this, &Security::PeerConnector::sslCrtvdHandleReply, nullptr));
221 Ssl::CertValidationHelper::GetInstance()->sslSubmit(validationRequest, call);
222 return false;
223 } catch (const std::exception &e) {
224 debugs(83, DBG_IMPORTANT, "ERROR: Failed to compose ssl_crtvd " <<
225 "request for " << validationRequest.domainName <<
226 " certificate: " << e.what() << "; will now block to " <<
227 "validate that certificate.");
228 // fall through to do blocking in-process generation.
229 ErrorState *anErr = new ErrorState(ERR_GATEWAY_FAILURE, Http::scInternalServerError, request.getRaw());
230
231 noteNegotiationDone(anErr);
232 bail(anErr);
233 serverConn->close();
234 return true;
235 }
236 }
237 #endif
238
239 noteNegotiationDone(NULL);
240 return true;
241 }
242
243 #if USE_OPENSSL
244 void
245 Security::PeerConnector::sslCrtvdHandleReply(Ssl::CertValidationResponse::Pointer validationResponse)
246 {
247 Must(validationResponse != NULL);
248
249 Ssl::ErrorDetail *errDetails = NULL;
250 bool validatorFailed = false;
251 if (!Comm::IsConnOpen(serverConnection())) {
252 return;
253 }
254
255 if (Debug::Enabled(83, 5)) {
256 Security::SessionPointer ssl(fd_table[serverConnection()->fd].ssl);
257 SBuf *server = static_cast<SBuf *>(SSL_get_ex_data(ssl.get(), ssl_ex_index_server));
258 debugs(83,5, RawPointer("host", server) << " cert validation result: " << validationResponse->resultCode);
259 }
260
261 if (validationResponse->resultCode == ::Helper::Error) {
262 if (Security::CertErrors *errs = sslCrtvdCheckForErrors(*validationResponse, errDetails)) {
263 Security::SessionPointer session(fd_table[serverConnection()->fd].ssl);
264 Security::CertErrors *oldErrs = static_cast<Security::CertErrors*>(SSL_get_ex_data(session.get(), ssl_ex_index_ssl_errors));
265 SSL_set_ex_data(session.get(), ssl_ex_index_ssl_errors, (void *)errs);
266 delete oldErrs;
267 }
268 } else if (validationResponse->resultCode != ::Helper::Okay)
269 validatorFailed = true;
270
271 if (!errDetails && !validatorFailed) {
272 noteNegotiationDone(NULL);
273 callBack();
274 return;
275 }
276
277 ErrorState *anErr = NULL;
278 if (validatorFailed) {
279 anErr = new ErrorState(ERR_GATEWAY_FAILURE, Http::scInternalServerError, request.getRaw());
280 } else {
281 anErr = new ErrorState(ERR_SECURE_CONNECT_FAIL, Http::scServiceUnavailable, request.getRaw());
282 anErr->detail = errDetails;
283 /*anErr->xerrno= Should preserved*/
284 }
285
286 noteNegotiationDone(anErr);
287 bail(anErr);
288 serverConn->close();
289 return;
290 }
291 #endif
292
293 #if USE_OPENSSL
294 /// Checks errors in the cert. validator response against sslproxy_cert_error.
295 /// The first honored error, if any, is returned via errDetails parameter.
296 /// The method returns all seen errors except SSL_ERROR_NONE as Security::CertErrors.
297 Security::CertErrors *
298 Security::PeerConnector::sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &resp, Ssl::ErrorDetail *& errDetails)
299 {
300 ACLFilledChecklist *check = NULL;
301 if (acl_access *acl = ::Config.ssl_client.cert_error) {
302 check = new ACLFilledChecklist(acl, request.getRaw(), dash_str);
303 check->al = al;
304 }
305
306 Security::CertErrors *errs = nullptr;
307 Security::SessionPointer session(fd_table[serverConnection()->fd].ssl);
308 typedef Ssl::CertValidationResponse::RecvdErrors::const_iterator SVCRECI;
309 for (SVCRECI i = resp.errors.begin(); i != resp.errors.end(); ++i) {
310 debugs(83, 7, "Error item: " << i->error_no << " " << i->error_reason);
311
312 assert(i->error_no != SSL_ERROR_NONE);
313
314 if (!errDetails) {
315 bool allowed = false;
316 if (check) {
317 check->sslErrors = new Security::CertErrors(Security::CertError(i->error_no, i->cert, i->error_depth));
318 if (check->fastCheck() == ACCESS_ALLOWED)
319 allowed = true;
320 }
321 // else the Config.ssl_client.cert_error access list is not defined
322 // and the first error will cause the error page
323
324 if (allowed) {
325 debugs(83, 3, "bypassing SSL error " << i->error_no << " in " << "buffer");
326 } else {
327 debugs(83, 5, "confirming SSL error " << i->error_no);
328 X509 *brokenCert = i->cert.get();
329 Security::CertPointer peerCert(SSL_get_peer_certificate(session.get()));
330 const char *aReason = i->error_reason.empty() ? NULL : i->error_reason.c_str();
331 errDetails = new Ssl::ErrorDetail(i->error_no, peerCert.get(), brokenCert, aReason);
332 }
333 if (check) {
334 delete check->sslErrors;
335 check->sslErrors = NULL;
336 }
337 }
338
339 if (!errs)
340 errs = new Security::CertErrors(Security::CertError(i->error_no, i->cert, i->error_depth));
341 else
342 errs->push_back_unique(Security::CertError(i->error_no, i->cert, i->error_depth));
343 }
344 if (check)
345 delete check;
346
347 return errs;
348 }
349 #endif
350
351 /// A wrapper for Comm::SetSelect() notifications.
352 void
353 Security::PeerConnector::NegotiateSsl(int, void *data)
354 {
355 PeerConnector *pc = static_cast<Security::PeerConnector *>(data);
356 // Use job calls to add done() checks and other job logic/protections.
357 CallJobHere(83, 7, pc, Security::PeerConnector, negotiate);
358 }
359
360 void
361 Security::PeerConnector::handleNegotiateError(const int ret)
362 {
363 #if USE_OPENSSL
364 const int fd = serverConnection()->fd;
365 unsigned long ssl_lib_error = SSL_ERROR_NONE;
366 Security::SessionPointer session(fd_table[fd].ssl);
367 const int ssl_error = SSL_get_error(session.get(), ret);
368
369 switch (ssl_error) {
370 case SSL_ERROR_WANT_READ:
371 noteWantRead();
372 return;
373
374 case SSL_ERROR_WANT_WRITE:
375 noteWantWrite();
376 return;
377
378 case SSL_ERROR_SSL:
379 case SSL_ERROR_SYSCALL:
380 ssl_lib_error = ERR_get_error();
381 // proceed to the general error handling code
382 break;
383 default:
384 // no special error handling for all other errors
385 break;
386 }
387
388 // Log connection details, if any
389 recordNegotiationDetails();
390 noteNegotiationError(ret, ssl_error, ssl_lib_error);
391
392 #elif USE_GNUTLS
393 // TODO: handle specific errors individually like above
394 if (gnutls_error_is_fatal(ret) == 0) {
395 noteWantRead();
396 return;
397 }
398 #endif
399 }
400
401 void
402 Security::PeerConnector::noteWantRead()
403 {
404 const int fd = serverConnection()->fd;
405 #if USE_OPENSSL
406 Security::SessionPointer session(fd_table[fd].ssl);
407 BIO *b = SSL_get_rbio(session.get());
408 Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
409 if (srvBio->holdRead()) {
410 if (srvBio->gotHello()) {
411 if (checkForMissingCertificates())
412 return; // Wait to download certificates before proceed.
413
414 srvBio->holdRead(false);
415 // schedule a negotiateSSl to allow openSSL parse received data
416 Security::PeerConnector::NegotiateSsl(fd, this);
417 return;
418 } else if (srvBio->gotHelloFailed()) {
419 srvBio->holdRead(false);
420 debugs(83, DBG_IMPORTANT, "Error parsing SSL Server Hello Message on FD " << fd);
421 // schedule a negotiateSSl to allow openSSL parse received data
422 Security::PeerConnector::NegotiateSsl(fd, this);
423 return;
424 }
425 }
426 #endif
427 setReadTimeout();
428 Comm::SetSelect(fd, COMM_SELECT_READ, &NegotiateSsl, this, 0);
429 }
430
431 void
432 Security::PeerConnector::noteWantWrite()
433 {
434 const int fd = serverConnection()->fd;
435 Comm::SetSelect(fd, COMM_SELECT_WRITE, &NegotiateSsl, this, 0);
436 return;
437 }
438
439 void
440 Security::PeerConnector::noteNegotiationError(const int ret, const int ssl_error, const int ssl_lib_error)
441 {
442 #if USE_OPENSSL // not used unless OpenSSL enabled.
443 #if defined(EPROTO)
444 int sysErrNo = EPROTO;
445 #else
446 int sysErrNo = EACCES;
447 #endif
448
449 // store/report errno when ssl_error is SSL_ERROR_SYSCALL, ssl_lib_error is 0, and ret is -1
450 if (ssl_error == SSL_ERROR_SYSCALL && ret == -1 && ssl_lib_error == 0)
451 sysErrNo = errno;
452
453 const int fd = serverConnection()->fd;
454 debugs(83, DBG_IMPORTANT, "Error negotiating SSL on FD " << fd <<
455 ": " << Security::ErrorString(ssl_lib_error) << " (" <<
456 ssl_error << "/" << ret << "/" << errno << ")");
457
458 ErrorState *anErr = NULL;
459 if (request != NULL)
460 anErr = ErrorState::NewForwarding(ERR_SECURE_CONNECT_FAIL, request.getRaw());
461 else
462 anErr = new ErrorState(ERR_SECURE_CONNECT_FAIL, Http::scServiceUnavailable, NULL);
463 anErr->xerrno = sysErrNo;
464
465 Security::SessionPointer session(fd_table[fd].ssl);
466 Ssl::ErrorDetail *errFromFailure = static_cast<Ssl::ErrorDetail *>(SSL_get_ex_data(session.get(), ssl_ex_index_ssl_error_detail));
467 if (errFromFailure != NULL) {
468 // The errFromFailure is attached to the ssl object
469 // and will be released when ssl object destroyed.
470 // Copy errFromFailure to a new Ssl::ErrorDetail object
471 anErr->detail = new Ssl::ErrorDetail(*errFromFailure);
472 } else {
473 // server_cert can be NULL here
474 X509 *server_cert = SSL_get_peer_certificate(session.get());
475 anErr->detail = new Ssl::ErrorDetail(SQUID_ERR_SSL_HANDSHAKE, server_cert, NULL);
476 X509_free(server_cert);
477 }
478
479 if (ssl_lib_error != SSL_ERROR_NONE)
480 anErr->detail->setLibError(ssl_lib_error);
481
482 noteNegotiationDone(anErr);
483 bail(anErr);
484 #endif
485 }
486
487 void
488 Security::PeerConnector::bail(ErrorState *error)
489 {
490 Must(error); // or the recepient will not know there was a problem
491 Must(callback != NULL);
492 CbDialer *dialer = dynamic_cast<CbDialer*>(callback->getDialer());
493 Must(dialer);
494 dialer->answer().error = error;
495
496 callBack();
497 // Our job is done. The callabck recepient will probably close the failed
498 // peer connection and try another peer or go direct (if possible). We
499 // can close the connection ourselves (our error notification would reach
500 // the recepient before the fd-closure notification), but we would rather
501 // minimize the number of fd-closure notifications and let the recepient
502 // manage the TCP state of the connection.
503 }
504
505 void
506 Security::PeerConnector::callBack()
507 {
508 AsyncCall::Pointer cb = callback;
509 // Do this now so that if we throw below, swanSong() assert that we _tried_
510 // to call back holds.
511 callback = NULL; // this should make done() true
512
513 // remove close handler
514 comm_remove_close_handler(serverConnection()->fd, closeHandler);
515
516 CbDialer *dialer = dynamic_cast<CbDialer*>(cb->getDialer());
517 Must(dialer);
518 dialer->answer().conn = serverConnection();
519 ScheduleCallHere(cb);
520 }
521
522 void
523 Security::PeerConnector::swanSong()
524 {
525 // XXX: unregister fd-closure monitoring and CommSetSelect interest, if any
526 AsyncJob::swanSong();
527 if (callback != NULL) { // paranoid: we have left the caller waiting
528 debugs(83, DBG_IMPORTANT, "BUG: Unexpected state while connecting to a cache_peer or origin server");
529 ErrorState *anErr = new ErrorState(ERR_GATEWAY_FAILURE, Http::scInternalServerError, request.getRaw());
530 bail(anErr);
531 assert(!callback);
532 return;
533 }
534 }
535
536 const char *
537 Security::PeerConnector::status() const
538 {
539 static MemBuf buf;
540 buf.reset();
541
542 // TODO: redesign AsyncJob::status() API to avoid this
543 // id and stop reason reporting duplication.
544 buf.append(" [", 2);
545 if (stopReason != NULL) {
546 buf.append("Stopped, reason:", 16);
547 buf.appendf("%s",stopReason);
548 }
549 if (serverConn != NULL)
550 buf.appendf(" FD %d", serverConn->fd);
551 buf.appendf(" %s%u]", id.prefix(), id.value);
552 buf.terminate();
553
554 return buf.content();
555 }
556
557 #if USE_OPENSSL
558 /// CallDialer to allow use Downloader objects within PeerConnector class.
559 class PeerConnectorCertDownloaderDialer: public Downloader::CbDialer
560 {
561 public:
562 typedef void (Security::PeerConnector::*Method)(SBuf &object, int status);
563
564 PeerConnectorCertDownloaderDialer(Method method, Security::PeerConnector *pc):
565 method_(method),
566 peerConnector_(pc) {}
567
568 /* CallDialer API */
569 virtual bool canDial(AsyncCall &call) { return peerConnector_.valid(); }
570 virtual void dial(AsyncCall &call) { ((&(*peerConnector_))->*method_)(object, status); }
571 Method method_; ///< The Security::PeerConnector method to dial
572 CbcPointer<Security::PeerConnector> peerConnector_; ///< The Security::PeerConnector object
573 };
574
575 void
576 Security::PeerConnector::startCertDownloading(SBuf &url)
577 {
578 AsyncCall::Pointer certCallback = asyncCall(81, 4,
579 "Security::PeerConnector::certDownloadingDone",
580 PeerConnectorCertDownloaderDialer(&Security::PeerConnector::certDownloadingDone, this));
581
582 const Downloader *csd = (request ? dynamic_cast<const Downloader*>(request->downloader.valid()) : nullptr);
583 Downloader *dl = new Downloader(url, certCallback, csd ? csd->nestedLevel() + 1 : 1);
584 AsyncJob::Start(dl);
585 }
586
587 void
588 Security::PeerConnector::certDownloadingDone(SBuf &obj, int downloadStatus)
589 {
590 ++certsDownloads;
591 debugs(81, 5, "Certificate downloading status: " << downloadStatus << " certificate size: " << obj.length());
592
593 // get ServerBio from SSL object
594 const int fd = serverConnection()->fd;
595 Security::SessionPointer session(fd_table[fd].ssl);
596 BIO *b = SSL_get_rbio(session.get());
597 Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
598
599 // Parse Certificate. Assume that it is in DER format.
600 // According to RFC 4325:
601 // The server must provide a DER encoded certificate or a collection
602 // collection of certificates in a "certs-only" CMS message.
603 // The applications MUST accept DER encoded certificates and SHOULD
604 // be able to accept collection of certificates.
605 // TODO: support collection of certificates
606 const unsigned char *raw = (const unsigned char*)obj.rawContent();
607 if (X509 *cert = d2i_X509(NULL, &raw, obj.length())) {
608 char buffer[1024];
609 debugs(81, 5, "Retrieved certificate: " << X509_NAME_oneline(X509_get_subject_name(cert), buffer, 1024));
610 const Security::CertList &certsList = srvBio->serverCertificatesIfAny();
611 if (const char *issuerUri = Ssl::uriOfIssuerIfMissing(cert, certsList)) {
612 urlsOfMissingCerts.push(SBuf(issuerUri));
613 }
614 Ssl::SSL_add_untrusted_cert(session.get(), cert);
615 }
616
617 // Check if there are URIs to download from and if yes start downloading
618 // the first in queue.
619 if (urlsOfMissingCerts.size() && certsDownloads <= MaxCertsDownloads) {
620 startCertDownloading(urlsOfMissingCerts.front());
621 urlsOfMissingCerts.pop();
622 return;
623 }
624
625 srvBio->holdRead(false);
626 Security::PeerConnector::NegotiateSsl(serverConnection()->fd, this);
627 }
628
629 bool
630 Security::PeerConnector::checkForMissingCertificates()
631 {
632 // Check for nested SSL certificates downloads. For example when the
633 // certificate located in an SSL site which requires to download a
634 // a missing certificate (... from an SSL site which requires to ...).
635
636 const Downloader *csd = (request ? request->downloader.get() : nullptr);
637 if (csd && csd->nestedLevel() >= MaxNestedDownloads)
638 return false;
639
640 const int fd = serverConnection()->fd;
641 Security::SessionPointer session(fd_table[fd].ssl);
642 BIO *b = SSL_get_rbio(session.get());
643 Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
644 const Security::CertList &certs = srvBio->serverCertificatesIfAny();
645
646 if (certs.size()) {
647 debugs(83, 5, "SSL server sent " << certs.size() << " certificates");
648 Ssl::missingChainCertificatesUrls(urlsOfMissingCerts, certs);
649 if (urlsOfMissingCerts.size()) {
650 startCertDownloading(urlsOfMissingCerts.front());
651 urlsOfMissingCerts.pop();
652 return true;
653 }
654 }
655
656 return false;
657 }
658 #endif //USE_OPENSSL
659
Mirror of https://github.com/squid-cache/squid.git