From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Fri, 27 Apr 2012 12:58:34 +0000 (+0300)
Subject: Bug fix: src ACL broken with sslproxy_cert_error, part2
X-Git-Tag: BumpSslServerFirst.take08~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=65ba7f04ba826eb32ab22c60779a843492234106;p=thirdparty%2Fsquid.git

Bug fix: src ACL broken with sslproxy_cert_error, part2

Use the original CONNECT request instead of creating the fake request.
Set flags.sslPeek to mark the CONNECT request as the one used for peeking at
the origin server certificate. Forward.cc now use that flag when special
handling is needed.

This will allow as to use original request which includes CONNECT request
headers (eg X-Forwarded-For header) and other settings, with sslproxy_*
acl checks.
---

diff --git a/src/client_side.cc b/src/client_side.cc
index 434095ff4a..1a6c6c50c7 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -3552,8 +3552,18 @@ httpsEstablish(ConnStateData *connState,  SSL_CTX *sslContext)
         Comm::SetSelect(details->fd, COMM_SELECT_READ, clientNegotiateSSL, connState, 0);
     else {
         char buf[MAX_IPSTRLEN];
+        HttpRequest *fakeRequest = new HttpRequest;
+        fakeRequest->SetHost(details->local.NtoA(buf, sizeof(buf)));
+        fakeRequest->port = details->local.GetPort();
+        fakeRequest->clientConnectionManager = connState;
+        fakeRequest->client_addr = connState->clientConnection->remote;
+#if FOLLOW_X_FORWARDED_FOR
+        fakeRequest->indirect_client_addr = connState->clientConnection->remote;
+#endif
+        fakeRequest->my_addr = connState->clientConnection->local;
+
         debugs(33, 4, HERE << details << " try to generate a Dynamic SSL CTX");
-        connState->switchToHttps(details->local.NtoA(buf, sizeof(buf)), details->local.GetPort());
+        connState->switchToHttps(fakeRequest);
     }
 }
 
@@ -3690,16 +3700,9 @@ void ConnStateData::buildSslCertGenerationParams(Ssl::CertificateProperties &cer
         if (X509 *mimicCert = sslServerBump->serverCert.get())
             certProperties.mimicCert.resetAndLock(mimicCert);
 
-        HttpRequest *fakeRequest =  new HttpRequest();
-        fakeRequest->SetHost(sslConnectHostOrIp.termedBuf());
-        fakeRequest->port = clientConnection->local.GetPort();
-        fakeRequest->protocol = AnyP::PROTO_HTTPS;
- 
-        ACLFilledChecklist checklist(NULL, fakeRequest, 
+        ACLFilledChecklist checklist(NULL, sslServerBump->request, 
                                      clientConnection != NULL ? clientConnection->rfc931 : dash_str);
         checklist.conn(this);
-        checklist.src_addr = clientConnection->remote;
-        checklist.my_addr = clientConnection->local;
         checklist.sslErrorList = cbdataReference(sslServerBump->bumpSslErrorNoList);
 
         for (sslproxy_cert_adapt *ca = Config.ssl_client.cert_adapt; ca != NULL; ca = ca->next) {
@@ -3867,12 +3870,12 @@ ConnStateData::getSslContextDone(SSL_CTX * sslContext, bool isNew)
 }
 
 void
-ConnStateData::switchToHttps(const char *host, const int port)
+ConnStateData::switchToHttps(HttpRequest *request)
 {
     assert(!switchedToHttps_);
 
-    sslConnectHostOrIp = host;
-    sslCommonName = host;
+    sslConnectHostOrIp = request->GetHost();
+    sslCommonName = request->GetHost();
 
     // We are going to read new request
     flags.readMore = true;
@@ -3883,18 +3886,8 @@ ConnStateData::switchToHttps(const char *host, const int port)
     // and now want to switch to SSL to send the error to the client
     // without even peeking at the origin server certificate.
     if (alwaysBumpServerFirst && !sslServerBump) {
-        HttpRequest *fakeRequest = new HttpRequest;
-        fakeRequest->flags.sslPeek = 1;
-        fakeRequest->SetHost(sslConnectHostOrIp.termedBuf());
-        fakeRequest->port = port;
-        fakeRequest->protocol = AnyP::PROTO_HTTPS;
-        fakeRequest->clientConnectionManager = this;
-        fakeRequest->client_addr = clientConnection->remote;
-#if FOLLOW_X_FORWARDED_FOR
-        fakeRequest->indirect_client_addr = clientConnection->remote;
-#endif
-        fakeRequest->my_addr = clientConnection->local;
-        sslServerBump = new Ssl::ServerBump(fakeRequest);
+        request->flags.sslPeek = 1;
+        sslServerBump = new Ssl::ServerBump(request);
 
         // will call httpsPeeked() with certificate and connection, eventually
         FwdState::fwdStart(clientConnection, sslServerBump->entry, sslServerBump->request);
diff --git a/src/client_side.h b/src/client_side.h
index d3a14e54af..3efb5aa593 100644
--- a/src/client_side.h
+++ b/src/client_side.h
@@ -340,7 +340,7 @@ public:
     /// Proccess response from ssl_crtd.
     void sslCrtdHandleReply(const char * reply);
 
-    void switchToHttps(const char *host, const int port);
+    void switchToHttps(HttpRequest *request);
     bool switchedToHttps() const { return switchedToHttps_; }
     Ssl::ServerBump *serverBump() {return sslServerBump;}
     void setServerBump(Ssl::ServerBump *srvBump) {if (!sslServerBump) sslServerBump = srvBump;}
diff --git a/src/client_side_request.cc b/src/client_side_request.cc
index 30a91aa985..75975a4f94 100644
--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
@@ -1423,7 +1423,7 @@ ClientHttpRequest::sslBumpEstablish(comm_err_t errflag)
         getConn()->auth_user_request = request->auth_user_request;
 #endif
 
-    getConn()->switchToHttps(request->GetHost(), request->port);
+    getConn()->switchToHttps(request);
 }
 
 void
diff --git a/src/forward.cc b/src/forward.cc
index 0a93966a1f..35528305e3 100644
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -843,7 +843,8 @@ FwdState::connectDone(const Comm::ConnectionPointer &conn, comm_err_t status, in
 
 #if USE_SSL
     if ((serverConnection()->getPeer() && serverConnection()->getPeer()->use_ssl) ||
-            (!serverConnection()->getPeer() && request->protocol == AnyP::PROTO_HTTPS)) {
+            (!serverConnection()->getPeer() && request->protocol == AnyP::PROTO_HTTPS) ||
+            (request->flags.sslPeek)) {
         initiateSSL();
         return;
     }