]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/ssl/bio.cc
2 * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 83 SSL accelerator support */
12 #include "ssl/support.h"
14 /* support.cc says this is needed */
21 #include "ip/Address.h"
22 #include "parser/BinaryTokenizer.h"
23 #include "SquidTime.h"
27 extern int socket_read_method(int, char *, int);
28 extern int socket_write_method(int, const char *, int);
32 static int squid_bio_write(BIO
*h
, const char *buf
, int num
);
33 static int squid_bio_read(BIO
*h
, char *buf
, int size
);
34 static int squid_bio_puts(BIO
*h
, const char *str
);
35 //static int squid_bio_gets(BIO *h, char *str, int size);
36 static long squid_bio_ctrl(BIO
*h
, int cmd
, long arg1
, void *arg2
);
37 static int squid_bio_create(BIO
*h
);
38 static int squid_bio_destroy(BIO
*data
);
40 static void squid_ssl_info(const SSL
*ssl
, int where
, int ret
);
42 #if HAVE_LIBCRYPTO_BIO_METH_NEW
43 static BIO_METHOD
*SquidMethods
= nullptr;
45 /// Initialization structure for the BIO table with
46 /// Squid-specific methods and BIO method wrappers.
47 static BIO_METHOD SquidMethods
= {
53 NULL
, // squid_bio_gets not supported
57 NULL
// squid_callback_ctrl not supported
62 Ssl::Bio::Create(const int fd
, Security::Io::Type type
)
64 #if HAVE_LIBCRYPTO_BIO_METH_NEW
66 SquidMethods
= BIO_meth_new(BIO_TYPE_SOCKET
, "squid");
67 BIO_meth_set_write(SquidMethods
, squid_bio_write
);
68 BIO_meth_set_read(SquidMethods
, squid_bio_read
);
69 BIO_meth_set_puts(SquidMethods
, squid_bio_puts
);
70 BIO_meth_set_gets(SquidMethods
, NULL
);
71 BIO_meth_set_ctrl(SquidMethods
, squid_bio_ctrl
);
72 BIO_meth_set_create(SquidMethods
, squid_bio_create
);
73 BIO_meth_set_destroy(SquidMethods
, squid_bio_destroy
);
75 BIO_METHOD
*useMethod
= SquidMethods
;
77 BIO_METHOD
*useMethod
= &SquidMethods
;
80 if (BIO
*bio
= BIO_new(useMethod
)) {
81 BIO_int_ctrl(bio
, BIO_C_SET_FD
, type
, fd
);
88 Ssl::Bio::Link(SSL
*ssl
, BIO
*bio
)
90 SSL_set_bio(ssl
, bio
, bio
); // cannot fail
91 SSL_set_info_callback(ssl
, &squid_ssl_info
); // does not provide diagnostic
94 Ssl::Bio::Bio(const int anFd
): fd_(anFd
)
96 debugs(83, 7, "Bio constructed, this=" << this << " FD " << fd_
);
101 debugs(83, 7, "Bio destructing, this=" << this << " FD " << fd_
);
104 int Ssl::Bio::write(const char *buf
, int size
, BIO
*table
)
108 const int result
= socket_write_method(fd_
, buf
, size
);
110 const int result
= default_write_method(fd_
, buf
, size
);
112 const int xerrno
= errno
;
113 debugs(83, 5, "FD " << fd_
<< " wrote " << result
<< " <= " << size
);
115 BIO_clear_retry_flags(table
);
117 const bool ignoreError
= ignoreErrno(xerrno
) != 0;
118 debugs(83, 5, "error: " << xerrno
<< " ignored: " << ignoreError
);
120 BIO_set_retry_write(table
);
127 Ssl::Bio::read(char *buf
, int size
, BIO
*table
)
131 const int result
= socket_read_method(fd_
, buf
, size
);
133 const int result
= default_read_method(fd_
, buf
, size
);
135 const int xerrno
= errno
;
136 debugs(83, 5, "FD " << fd_
<< " read " << result
<< " <= " << size
);
138 BIO_clear_retry_flags(table
);
140 const bool ignoreError
= ignoreErrno(xerrno
) != 0;
141 debugs(83, 5, "error: " << xerrno
<< " ignored: " << ignoreError
);
143 BIO_set_retry_read(table
);
149 /// Called whenever the SSL connection state changes, an alert appears, or an
150 /// error occurs. See SSL_set_info_callback().
152 Ssl::Bio::stateChanged(const SSL
*ssl
, int where
, int ret
)
154 // Here we can use (where & STATE) to check the current state.
155 // Many STATE values are possible, including: SSL_CB_CONNECT_LOOP,
156 // SSL_CB_ACCEPT_LOOP, SSL_CB_HANDSHAKE_START, and SSL_CB_HANDSHAKE_DONE.
158 // if (where & SSL_CB_HANDSHAKE_START)
159 // debugs(83, 9, "Trying to establish the SSL connection");
160 // else if (where & SSL_CB_HANDSHAKE_DONE)
161 // debugs(83, 9, "SSL connection established");
163 debugs(83, 7, "FD " << fd_
<< " now: 0x" << std::hex
<< where
<< std::dec
<< ' ' <<
164 SSL_state_string(ssl
) << " (" << SSL_state_string_long(ssl
) << ")");
167 Ssl::ClientBio::ClientBio(const int anFd
):
174 renegotiations
.configure(10*1000);
178 Ssl::ClientBio::stateChanged(const SSL
*ssl
, int where
, int ret
)
180 Ssl::Bio::stateChanged(ssl
, where
, ret
);
181 // detect client-initiated renegotiations DoS (CVE-2011-1473)
182 if (where
& SSL_CB_HANDSHAKE_START
) {
183 const int reneg
= renegotiations
.count(1);
186 return; // already decided and informed the admin
188 if (reneg
> RenegotiationsLimit
) {
189 abortReason
= "renegotiate requests flood";
190 debugs(83, DBG_IMPORTANT
, "Terminating TLS connection [from " << fd_table
[fd_
].ipaddr
<< "] due to " << abortReason
<< ". This connection received " <<
191 reneg
<< " renegotiate requests in the last " <<
192 RenegotiationsWindow
<< " seconds (and " <<
193 renegotiations
.remembered() << " requests total).");
199 Ssl::ClientBio::write(const char *buf
, int size
, BIO
*table
)
202 debugs(83, 3, "BIO on FD " << fd_
<< " is aborted");
203 BIO_clear_retry_flags(table
);
208 BIO_set_retry_write(table
);
212 return Ssl::Bio::write(buf
, size
, table
);
216 Ssl::ClientBio::read(char *buf
, int size
, BIO
*table
)
219 debugs(83, 3, "BIO on FD " << fd_
<< " is aborted");
220 BIO_clear_retry_flags(table
);
225 debugs(83, 7, "Hold flag is set, retry latter. (Hold " << size
<< "bytes)");
226 BIO_set_retry_read(table
);
230 if (!rbuf
.isEmpty()) {
231 int bytes
= (size
<= (int)rbuf
.length() ? size
: rbuf
.length());
232 memcpy(buf
, rbuf
.rawContent(), bytes
);
236 return Ssl::Bio::read(buf
, size
, table
);
241 Ssl::ServerBio::ServerBio(const int anFd
):
249 parsedHandshake(false),
253 parser_(Security::HandshakeParser::fromServer
)
258 Ssl::ServerBio::stateChanged(const SSL
*ssl
, int where
, int ret
)
260 Ssl::Bio::stateChanged(ssl
, where
, ret
);
264 Ssl::ServerBio::setClientFeatures(Security::TlsDetails::Pointer
const &details
, SBuf
const &aHello
)
266 clientTlsDetails
= details
;
267 clientSentHello
= aHello
;
271 Ssl::ServerBio::read(char *buf
, int size
, BIO
*table
)
273 if (parsedHandshake
) // done parsing TLS Hello
274 return readAndGive(buf
, size
, table
);
276 return readAndParse(buf
, size
, table
);
279 /// Read and give everything to OpenSSL.
281 Ssl::ServerBio::readAndGive(char *buf
, const int size
, BIO
*table
)
283 // If we have unused buffered bytes, give those bytes to OpenSSL now,
284 // before reading more. TODO: Read if we have buffered less than size?
285 if (rbufConsumePos
< rbuf
.length())
286 return giveBuffered(buf
, size
);
289 const int result
= readAndBuffer(table
);
292 return giveBuffered(buf
, size
);
295 return Ssl::Bio::read(buf
, size
, table
);
298 /// Read and give everything to our parser.
299 /// When/if parsing is finished (successfully or not), start giving to OpenSSL.
301 Ssl::ServerBio::readAndParse(char *buf
, const int size
, BIO
*table
)
303 const int result
= readAndBuffer(table
);
308 if (!parser_
.parseHello(rbuf
)) {
309 // need more data to finish parsing
310 BIO_set_retry_read(table
);
313 parsedHandshake
= true; // done parsing (successfully)
315 catch (const std::exception
&ex
) {
316 debugs(83, 2, "parsing error on FD " << fd_
<< ": " << ex
.what());
317 parsedHandshake
= true; // done parsing (due to an error)
321 return giveBuffered(buf
, size
);
324 /// Reads more data into the read buffer. Returns either the number of bytes
325 /// read or, on errors (including "try again" errors), a negative number.
327 Ssl::ServerBio::readAndBuffer(BIO
*table
)
329 char *space
= rbuf
.rawAppendStart(SQUID_TCP_SO_RCVBUF
);
330 const int result
= Ssl::Bio::read(space
, SQUID_TCP_SO_RCVBUF
, table
);
334 rbuf
.rawAppendFinish(space
, result
);
338 /// give previously buffered bytes to OpenSSL
339 /// returns the number of bytes given
341 Ssl::ServerBio::giveBuffered(char *buf
, const int size
)
343 if (rbuf
.length() <= rbufConsumePos
)
344 return -1; // buffered nothing yet
346 const int unsent
= rbuf
.length() - rbufConsumePos
;
347 const int bytes
= (size
<= unsent
? size
: unsent
);
348 memcpy(buf
, rbuf
.rawContent() + rbufConsumePos
, bytes
);
349 rbufConsumePos
+= bytes
;
350 debugs(83, 7, bytes
<< "<=" << size
<< " bytes to OpenSSL");
354 // This function makes the required checks to examine if the client hello
355 // message is compatible with the features provided by OpenSSL toolkit.
356 // If the features are compatible and can be supported it tries to rewrite SSL
357 // structure members, to replace the hello message created by openSSL, with the
358 // web client SSL hello message.
359 // This is mostly possible in the cases where the web client uses openSSL
360 // library similar with this one used by squid.
362 adjustSSL(SSL
*ssl
, Security::TlsDetails::Pointer
const &details
, SBuf
&helloMessage
)
364 #if SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK
369 debugs(83, 5, "No SSLv3 data found!");
373 // If the client supports compression but our context does not support
374 // we can not adjust.
375 #if !defined(OPENSSL_NO_COMP)
376 const bool requireCompression
= (details
->compressionSupported
&& ssl
->ctx
->comp_methods
== nullptr);
378 const bool requireCompression
= details
->compressionSupported
;
380 if (requireCompression
) {
381 debugs(83, 5, "Client Hello Data supports compression, but we do not!");
385 #if !defined(SSL_TLSEXT_HB_ENABLED)
386 if (details
->doHeartBeats
) {
387 debugs(83, 5, "Client Hello Data supports HeartBeats but we do not support!");
392 if (details
->unsupportedExtensions
) {
393 debugs(83, 5, "Client Hello contains extensions that we do not support!");
397 SSL3_BUFFER
*wb
=&(ssl
->s3
->wbuf
);
398 if (wb
->len
< (size_t)helloMessage
.length()) {
399 debugs(83, 5, "Client Hello exceeds OpenSSL buffer: " << helloMessage
.length() << " >= " << wb
->len
);
403 /* Check whether all on-the-wire ciphers are supported by OpenSSL. */
405 const auto &wireCiphers
= details
->ciphers
;
406 Security::TlsDetails::Ciphers::size_type ciphersToFind
= wireCiphers
.size();
408 // RFC 5746: "TLS_EMPTY_RENEGOTIATION_INFO_SCSV is not a true cipher suite".
409 // It is commonly seen on the wire, including in from-OpenSSL traffic, but
410 // SSL_get_ciphers() does not return this _pseudo_ cipher suite in my tests.
411 // If OpenSSL supports scsvCipher, we count it (at most once) further below.
412 #if defined(TLSEXT_TYPE_renegotiate)
413 // the 0x00FFFF mask converts 3-byte OpenSSL cipher to our 2-byte cipher
414 const uint16_t scsvCipher
= SSL3_CK_SCSV
& 0x00FFFF;
416 const uint16_t scsvCipher
= 0;
419 STACK_OF(SSL_CIPHER
) *cipher_stack
= SSL_get_ciphers(ssl
);
420 const int supportedCipherCount
= sk_SSL_CIPHER_num(cipher_stack
);
421 for (int idx
= 0; idx
< supportedCipherCount
&& ciphersToFind
> 0; ++idx
) {
422 const SSL_CIPHER
*cipher
= sk_SSL_CIPHER_value(cipher_stack
, idx
);
423 const auto id
= SSL_CIPHER_get_id(cipher
) & 0x00FFFF;
424 if (wireCiphers
.find(id
) != wireCiphers
.end() && (!scsvCipher
|| id
!= scsvCipher
))
428 if (ciphersToFind
> 0 && scsvCipher
&& wireCiphers
.find(scsvCipher
) != wireCiphers
.end())
431 if (ciphersToFind
> 0) {
432 // TODO: Add slowlyReportUnsupportedCiphers() to slowly find and report each of them
433 debugs(83, 5, "Client Hello Data has " << ciphersToFind
<< " ciphers that we do not support!");
437 debugs(83, 5, "OpenSSL SSL struct will be adjusted to mimic client hello data!");
439 //Adjust ssl structure data.
440 // We need to fix the random in SSL struct:
441 if (details
->clientRandom
.length() == SSL3_RANDOM_SIZE
)
442 memcpy(ssl
->s3
->client_random
, details
->clientRandom
.c_str(), SSL3_RANDOM_SIZE
);
443 memcpy(wb
->buf
, helloMessage
.rawContent(), helloMessage
.length());
444 wb
->left
= helloMessage
.length();
446 size_t mainHelloSize
= helloMessage
.length() - 5;
447 const char *mainHello
= helloMessage
.rawContent() + 5;
448 assert((size_t)ssl
->init_buf
->max
> mainHelloSize
);
449 memcpy(ssl
->init_buf
->data
, mainHello
, mainHelloSize
);
450 debugs(83, 5, "Hello Data init and adjustd sizes :" << ssl
->init_num
<< " = "<< mainHelloSize
);
451 ssl
->init_num
= mainHelloSize
;
452 ssl
->s3
->wpend_ret
= mainHelloSize
;
453 ssl
->s3
->wpend_tot
= mainHelloSize
;
461 Ssl::ServerBio::write(const char *buf
, int size
, BIO
*table
)
465 debugs(83, 7, "postpone writing " << size
<< " bytes to SSL FD " << fd_
);
466 BIO_set_retry_write(table
);
470 if (!helloBuild
&& (bumpMode_
== Ssl::bumpPeek
|| bumpMode_
== Ssl::bumpStare
)) {
471 // buf contains OpenSSL-generated ClientHello. We assume it has a
472 // complete ClientHello and nothing else, but cannot fully verify
473 // that quickly. We only verify that buf starts with a v3+ record
474 // containing ClientHello.
475 Must(size
>= 2); // enough for version and content_type checks below
476 Must(buf
[1] >= 3); // record's version.major; determines buf[0] meaning
477 Must(buf
[0] == 22); // TLSPlaintext.content_type == handshake in v3+
479 //Hello message is the first message we write to server
480 assert(helloMsg
.isEmpty());
482 if (auto ssl
= fd_table
[fd_
].ssl
.get()) {
483 if (bumpMode_
== Ssl::bumpPeek
) {
484 // we should not be here if we failed to parse the client-sent ClientHello
485 Must(!clientSentHello
.isEmpty());
486 if (adjustSSL(ssl
, clientTlsDetails
, clientSentHello
))
489 // Replace OpenSSL-generated ClientHello with client-sent one.
490 helloMsg
.append(clientSentHello
);
491 debugs(83, 7, "FD " << fd_
<< ": Using client-sent ClientHello for peek mode");
492 } else { /*Ssl::bumpStare*/
494 if (!clientSentHello
.isEmpty() && adjustSSL(ssl
, clientTlsDetails
, clientSentHello
)) {
496 helloMsg
.append(clientSentHello
);
497 debugs(83, 7, "FD " << fd_
<< ": Using client-sent ClientHello for stare mode");
501 // if we did not use the client-sent ClientHello, then use the OpenSSL-generated one
502 if (helloMsg
.isEmpty())
503 helloMsg
.append(buf
, size
);
506 helloMsgSize
= helloMsg
.length();
510 // Do not write yet.....
511 BIO_set_retry_write(table
);
516 if (!helloMsg
.isEmpty()) {
517 debugs(83, 7, "buffered write for FD " << fd_
);
518 int ret
= Ssl::Bio::write(helloMsg
.rawContent(), helloMsg
.length(), table
);
519 helloMsg
.consume(ret
);
520 if (!helloMsg
.isEmpty()) {
521 // We need to retry sendind data.
522 // Say to openSSL to retry sending hello message
523 BIO_set_retry_write(table
);
527 // Sending hello message complete. Do not send more data for now...
530 // spoof openSSL that we write what it ask us to write
533 return Ssl::Bio::write(buf
, size
, table
);
537 Ssl::ServerBio::flush(BIO
*table
)
539 if (!helloMsg
.isEmpty()) {
540 int ret
= Ssl::Bio::write(helloMsg
.rawContent(), helloMsg
.length(), table
);
541 helloMsg
.consume(ret
);
546 Ssl::ServerBio::resumingSession()
548 return parser_
.resumingSession
;
552 Ssl::ServerBio::encryptedCertificates() const
554 return parser_
.details
->tlsSupportedVersion
&&
555 Security::Tls1p3orLater(parser_
.details
->tlsSupportedVersion
);
558 /// initializes BIO table after allocation
560 squid_bio_create(BIO
*bi
)
562 #if !HAVE_LIBCRYPTO_BIO_GET_INIT
563 bi
->init
= 0; // set when we store Bio object and socket fd (BIO_C_SET_FD)
567 // No need to set more, openSSL initialize BIO memory to zero.
570 BIO_set_data(bi
, NULL
);
574 /// cleans BIO table before deallocation
576 squid_bio_destroy(BIO
*table
)
578 delete static_cast<Ssl::Bio
*>(BIO_get_data(table
));
579 BIO_set_data(table
, NULL
);
583 /// wrapper for Bio::write()
585 squid_bio_write(BIO
*table
, const char *buf
, int size
)
587 Ssl::Bio
*bio
= static_cast<Ssl::Bio
*>(BIO_get_data(table
));
589 return bio
->write(buf
, size
, table
);
592 /// wrapper for Bio::read()
594 squid_bio_read(BIO
*table
, char *buf
, int size
)
596 Ssl::Bio
*bio
= static_cast<Ssl::Bio
*>(BIO_get_data(table
));
598 return bio
->read(buf
, size
, table
);
601 /// implements puts() via write()
603 squid_bio_puts(BIO
*table
, const char *str
)
606 return squid_bio_write(table
, str
, strlen(str
));
609 /// other BIO manipulations (those without dedicated callbacks in BIO table)
611 squid_bio_ctrl(BIO
*table
, int cmd
, long arg1
, void *arg2
)
613 debugs(83, 5, table
<< ' ' << cmd
<< '(' << arg1
<< ", " << arg2
<< ')');
618 const int fd
= *static_cast<int*>(arg2
);
620 if (arg1
== Security::Io::BIO_TO_SERVER
)
621 bio
= new Ssl::ServerBio(fd
);
623 bio
= new Ssl::ClientBio(fd
);
624 assert(!BIO_get_data(table
));
625 BIO_set_data(table
, bio
);
626 BIO_set_init(table
, 1);
631 if (BIO_get_init(table
)) {
632 Ssl::Bio
*bio
= static_cast<Ssl::Bio
*>(BIO_get_data(table
));
635 *static_cast<int*>(arg2
) = bio
->fd();
641 // Should implemented if the SSL_dup openSSL API function
642 // used anywhere in squid.
646 if (BIO_get_init(table
)) {
647 Ssl::Bio
*bio
= static_cast<Ssl::Bio
*>(BIO_get_data(table
));
654 /* we may also need to implement these:
656 case BIO_C_FILE_SEEK:
657 case BIO_C_FILE_TELL:
659 case BIO_CTRL_GET_CLOSE:
660 case BIO_CTRL_SET_CLOSE:
661 case BIO_CTRL_PENDING:
662 case BIO_CTRL_WPENDING:
669 return 0; /* NOTREACHED */
672 /// wrapper for Bio::stateChanged()
674 squid_ssl_info(const SSL
*ssl
, int where
, int ret
)
676 if (BIO
*table
= SSL_get_rbio(ssl
)) {
677 if (Ssl::Bio
*bio
= static_cast<Ssl::Bio
*>(BIO_get_data(table
)))
678 bio
->stateChanged(ssl
, where
, ret
);
683 applyTlsDetailsToSSL(SSL
*ssl
, Security::TlsDetails::Pointer
const &details
, Ssl::BumpMode bumpMode
)
685 // To increase the possibility for bumping after peek mode selection or
686 // splicing after stare mode selection it is good to set the
687 // SSL protocol version.
688 // The SSL_set_ssl_method is wrong here because it will restrict the
689 // permitted transport version to be identical to the version used in the
690 // ClientHello message.
691 // For example will prevent comunnicating with a tls1.0 server if the
692 // client sent and tlsv1.2 Hello message.
693 #if defined(TLSEXT_NAMETYPE_host_name)
694 if (!details
->serverName
.isEmpty()) {
695 SSL_set_tlsext_host_name(ssl
, details
->serverName
.c_str());
699 if (!details
->ciphers
.empty()) {
701 for (auto cipherId
: details
->ciphers
) {
702 unsigned char cbytes
[3];
703 cbytes
[0] = (cipherId
>> 8) & 0xFF;
704 cbytes
[1] = cipherId
& 0xFF;
706 if (const auto c
= SSL_CIPHER_find(ssl
, cbytes
)) {
707 if (!strCiphers
.isEmpty())
708 strCiphers
.append(":");
709 strCiphers
.append(SSL_CIPHER_get_name(c
));
712 if (!strCiphers
.isEmpty())
713 SSL_set_cipher_list(ssl
, strCiphers
.c_str());
716 #if defined(SSL_OP_NO_COMPRESSION) /* XXX: OpenSSL 0.9.8k lacks SSL_OP_NO_COMPRESSION */
717 if (!details
->compressionSupported
)
718 SSL_set_options(ssl
, SSL_OP_NO_COMPRESSION
);
721 #if defined(SSL_OP_NO_TLSv1_3)
722 // avoid "inappropriate fallback" OpenSSL error messages
723 if (details
->tlsSupportedVersion
&& Security::Tls1p2orEarlier(details
->tlsSupportedVersion
))
724 SSL_set_options(ssl
, SSL_OP_NO_TLSv1_3
);
727 #if defined(TLSEXT_STATUSTYPE_ocsp)
728 if (details
->tlsStatusRequest
)
729 SSL_set_tlsext_status_type(ssl
, TLSEXT_STATUSTYPE_ocsp
);
732 #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
733 if (!details
->tlsAppLayerProtoNeg
.isEmpty()) {
734 if (bumpMode
== Ssl::bumpPeek
)
735 SSL_set_alpn_protos(ssl
, (const unsigned char*)details
->tlsAppLayerProtoNeg
.rawContent(), details
->tlsAppLayerProtoNeg
.length());
737 static const unsigned char supported_protos
[] = {8, 'h','t','t', 'p', '/', '1', '.', '1'};
738 SSL_set_alpn_protos(ssl
, supported_protos
, sizeof(supported_protos
));
744 #endif // USE_OPENSSL